Open woodbe opened 2 years ago
FCS - nothing at this time, if a request for this comes up, then it could be reviewed to be added.
FDP
FDP_RIP as optional while we see if needed FDP_IFC -> FTP_TRP to show trust of input signal (@ccparran) FDP_ACC/FDP_ACF required
FIA
enrollment verification trust (profile and individual input)
PAD - should be optional, flexible and targeted to individual inputs, not to combined output
PAD probably needs a lot of thought about how to make it work well. It is likely mandatory to have SOMETHING, but not for everything, and how it applies will need to be flexible.
FMT
Do we need trust of MDM? (@woodbe thinks this should be handled by MDM Agent or similar to establish trusted management connection)
FMT_SMF/FMT_MOF listing FMT_MSA for default settings?
FMT/FPT (from @n-kai)
Can the user turn CMFA off? What are the boundaries of control for the user (can they just select from options from the admin, or are they forced to use what the admin sets with no changes)? Can the user enroll biometrics optionally? For example, if the admin chooses gait as an option, does the user HAVE to enroll their gait, or can they just leave that unenrolled and just use the resulting inputs? And how does that potential change impact the scoring?
FPT (@ccparran)
Should trusted update be considered?
@woodbe thinks that at this point we should look at it as part of the OS/system, and leave trusted update to that. In the future it could be considered an app, and maybe have a PP-Config for an App PP (either NIAP or iTC), and then rely on that to have the trusted update component instead of trying to write it directly into the PP here.
FCS
FDP
FIA
FMT
QUESTION: How to enroll the device into CMFA management? Is this available as a user function? So we assume that the device is managed and the MDM needs to support CMFA?
FPT