In the new OSPP v4.3, test cases 73 and 74 should be marked as conditional on whether X.509 certificates are claimed as an authentication mechanism defined in FIA_UAU.5.  Currently they appear to be mandatory test cases.

FIA_X509_EXT.1.1 Tests 73 and 74 in Section 5.1.6 of PP_OS_V4.3 are modified as follows, with underlines denoting additions:

[Conditional, to be performed if "authentication based on X.509 certificates" is selected in FIA_UAU.5]:

The evaluator will generate an X.509v3 certificate for a user with the Client Authentication

Extended Key Usage field set. The evaluator will provision the OS for authentication with the

X.509v3 certificate. The evaluator will ensure that the certificates are validated by the OS as per

FIA_X509_EXT.1.1 and then conduct the following two tests:

Test 73: The evaluator will attempt to authenticate to the OS using the X.509v3 certificate.

The evaluator will ensure that the authentication attempt is successful.

Test 74: The evaluator will generate a second certificate identical to the first except for the

public key and any values derived from the public key. The evaluator will attempt to

authenticate to the OS with this certificate. The evaluator will ensure that the

authentication attempt is unsuccessful.

See issue description.