FIA_CMCC_EXT.1, FIA_CMCS_EXT.1.3, and FIA_CMPC_EXT.1 Mutual Authentication

[kenji-lightship]

The SFRs require renewal requests using mutual authentication; however, it cannot be guaranteed the certificate that is being renewed is a TLS client certificate, so the TLS/HTTPS server would be expected to reject the mutual authentication due to an invalid EKU (lack of TLS client EKU).

[jfisherbah]

• FIA_CMCC_EXT.1 app note - added clarification as to when clientAuth EKU is needed
• FIA_CMCS_EXT.1.3 app note - added clarification on what must be included based on the supported transport of CMC request
• FIA_CMPC_EXT.1.2 SFR updated to make the controller of CMP import/export capability selectable between admin and supported function capabilities
• FIA_CMPC_EXT.1.2 app note updated to clarify when one vs the other controller would be selected in CMPC_EXT.1.2
  Believe can be closed.