In the PP_APP_v1.1, SFR FCS_CKM.1.1 is a Selection-Based Requirement and is included only if FCS_CKM_EXT.1 is also included. FCS_CKM_EXT.1 is listed as only being required if FCS_TLSC_EXT.1 is selected. However, the Selection-Based FCS_TLSC_EXT says nothing about FCS_CKM_EXT.1, so there doesn't appear to be a reason to ever include FCS_CKM_EXT.1 in a ST. But without including FCS_CKM_EXT.1, there is no reason for including FCS_CKM.1.1.

It has been determined that this was a flaw in the PP_APP_v1.1 and has been corrected in the App PP V1.2 so that selecting FCS_CKM_EXT.1 in FCS_TLSC_EXT.1 can now result in the selection of FCS_CKM.1.

NIAP acknowledges the discrepancy and proposes modifying the application note for FCS_TLSC_EXT.1 to state:  If “implement TLS 1.2 (RFC 5246)”is selected, then FCS_CKM_EXT.1 is required.

The omission of FCS_CKM.1 was an oversight during development of PP_APP_v1.1 and, hence, the proposed resolution will allow evaluations against PP_APP_v1.1 to include FCS_CKM.1.1.