woodbe
commented
2 years ago (from call) The intent of the test is to have the vendor to provide a quality score threshold such that the evaluator can see that the score is in use. The point is to be able to show that quality of the sample is above or below.
The concern is that if the evaluator isn't familiar with biometrics, it may be difficult to determine what is acceptable.
Supporting Document v1.1 Section 2.3.2 FIA_MBE_EXT.2 - This test requires some product, other than the one being tested, to be developed for the purpose of testing. The access required for the testing seems rather invasive and I wonder if it would always be possible to get access to required data in what might be separate and secure internal operating environments. This possibility should be addressed in some manner. It is assumed that the developer provides the quality assessment report (i.e., it is not created by CC evaluators). This seems like expert subject matter and it is not clear CC evaluator would or even should be generally qualified to assess that document ala the AGD_OPE/ADV_FSP activity in section 2.3.2.5.1. Rather the guidance for its evaluation should be broken down and itemized so that it is clear specifically what to look for and what would be good enough, otherwise consistency cannot be assured in any real degree. Same comment for Section 2.3.4 FIA_MBV_EXT.2.