CMFA Resources to be protected

[woodbe]

I am not certain about the resources to be protected list. This is based on #28.

• The trust score that is determined by the CMFA and passed to the computer.

I am not sure about this one. I don't know that the final score itself needs to be protected. I agree that how it is passed to the computer needs to be protected (since you wouldn't want to be able to intercept/spoof the score itself), but I am not sure about the score itself. I expect that the computer has something that says "unlock if the score is at least 75" whatever that means, and the computer would just get that score. I don't know if this needs to be protected. I think the focus should be on a trusted path (I know that is a loaded term, probably more like a protected path) to the computer authentication mechanism. Maybe something like this:

The CMFA product must have a protected channel to present the trust score to its operating environment

• Any personal information gathered by CMFA, such as biometric information and behavior patterns of a user.

I have several potential issues with this one. The first is whether we need to specify privacy law into a CC SFR. I'm not disputing the privacy concerns, I'm just not sure if they are anything additional to the last bullet.

• Any data used to determine the trust score including CMFA configuration data.

This one I see as fine (not sure about the phrasing, but this is fine)

[n-kai]

I just categorized resources into three based on requirement on data (e.g. CIA (Confidentiality, Integrity and Availability)) so that additional or specific security requirements for each category can be defined.

• trust score: As you mentioned confidentiality is unnecessary but IA and trustworthiness (trust score should reflect the state of user accurately) requirement should be defined for the trust score
• Any personal information gathered by CMFA: CI(A) and any other requirements that required by major privacy regulation should be defined (we don't need to specify privacy law into a CC SFR but adequate data security requirements should be defined)
• Any data used to determine the trust score: CI(A) requirement should be defined.

But I assume in the end that the same security requirements can be defined for all three type of resources like "all data should be retained within secure execution environment"

[gregott]

Confidentiality of the CMFA score is a good idea. We do not want to provide feedback to an attacker that he is getting close to a device lock if he keeps going South, for example.

[n-kai]

@gregott you are right. I should have said that the confidentiality of CMFA score is necessary and should only be disclosed to the trusted external party (e.g. Banking service) after a mutual authentication