n-kai
commented
3 years ago I just use the word "computer device" in draft ESR to follow the term definition in BIOPPM (BIOPPM defines the word "computer" so I should have used the same term). I agree with you if we don't have any plan to create PP-Configuration for OSPP and CMFA-PPM.
When I read "computer device" or similar in the ESR, it feels very clunky.
https://github.com/biometricITC/Administration/blame/e8b34a380cad3f45e4352cfecbe47c456ac47b21/CMFA_ESR.adoc#L54
I get the point, technically any computer could have CMFA, but I think we should go with mobile device instead. My logic here is that it seems unlikely that anything that is not mobile would actually have CMFA on its own (this could be possible, but it seems unlikely given that about the only thing it could realistically check probably would be whether the right person is at the computer (say with a webcam sitting on the monitor). This then raises questions though about some of the other expectations we have, like processing in a secure operating environment (like a TEE or something along those lines) as PCs don't typically have these (they do have things, but not usually setup like this, and the input from a webcam isn't going to be on a trusted path like a camera should be on a mobile device like we are talking about here).
It isn't that I'm trying to limit where CMFA can be installed, but I think that based on what we have been looking at, it is reasonable to expect that this iteration is going to be on some sort of mobile device (most likely a smart phone, though a tablet may work, and maybe a watch or glasses could be made to work with limited inputs based on the expected parameters, but all still technically "mobile") and not a PC (or likely even a laptop). I think PC (or laptop) use of CMFA is more likely to come from consuming a mobile device CMFA system's output than on making some determination directly. A stationary device doesn't have enough insight into the actual user on its own to make a decision.