FPT_KPY_EXT.1 and MDF #43
Description
I would actually think this should probably have a required choice for stored keys when paired with the MDF in that the "the plaintext key is stored in the underlying platform's keystore as specified by FCS_STO_EXT.1.1" selection would be required when paired with the MDF. It would seem odd to expect the keys to be stored elsewhere when in a configuration with the MDF as the base and not the App.
I guess there could be an option for something like a smart card, though I'm not sure if the key is stored there or if the card would be used to unlock (decrypt) the key stored in the keystore.