Requiring X.509v3 certs for "code signing for TOE updates" can not be met by products that execute on top of an OS and rely on the OS's update mechanism.

For FIA_X509_EXT.2.1, "authentication for code signing for TOE updates" is moved into the selection list and "integrity verification for TSF software and firmware" is removed. The SFR and application note are replaced with the following:


FIA_X509_EXT.2.1: The TSF shall [selection: use, interface with the Operational Environment to use] X.509v3 certificates as defined by RFC 5280 to support [selection: authentication for code signing for TOE updates, IPsec, TLS, HTTPS, SSH], and [selection: integrity verification for TSF protected data, [assignment: other uses], no additional uses].

Application Note: The ST author‘s selection of trusted communication channel is expected to match the selections in FTP_TRP.1.1 and FTP_ITC.1.1 (if FTP_ITC.1 is included in the ST). Certificates may optionally be used for integrity verification (FPT_TST_EXT.2) and other uses. "Authentication for code signing for TOE updates" is an objective requirement and will be mandatory in future PP versions.

This change makes OS based updates acceptable and makes the CAPP commensurate with other PPs in its allowances for signed updates.