PADv2 Repo Access

[woodbe]

@gregott thoughts:

• Active participants
• Labs doing testing (can't just be any lab)
• Vendor under test (has to show intent of some sort)
• SMEs invited to work on project

@woodbe Schemes would have to have access (verified)

Limits on number of people from an org - mainly 1 unless multiple are active (maybe 2 if needed)

Regular review of list

• quarterly access check?
• Verify org membership

Need to have scheduled calls (even if no active issues) to maintain group

@ccparran

• definitely need to ensure multiple person access, though funneling through small points of contact seems fine
• Concern about losing control though, since once it is downloaded, it is available
• NIAP example - internal copy would be maintained privately to be used, under access control

@woodbe - create an attestation document that has to be "signed" by any org before granting access, sort of an NDA, keep it under control, delete when no longer needed

@gfiumara - maybe request that only be used as clone from GitHub? Internally hosted instance?

@gregott - what about country restrictions?

• Could we create a create a subset of tests which are only released to lab (maybe scheme) but not to vendors (maybe base this on the AP, anything about Enhanced-Basic would only be available to lab/scheme/active)
• Discuss with schemes & SMEs about this, which ones should be "protected" in this manner
• Restrict to CCRA markets (have to sell device(s) under eval somewhere in that market)

[woodbe]

Items to create:

• General doc
• Access List (to be maintained)
• attestation doc

[n-kai]

@woodbe You can refer SOG-IS documents (*1) to develop our documents. The JHAS develops and maintains smart card attack method document and this document is only shared within the JHAS members. So JHAS corresponds to our iTC and smart card attack method document corresponds to the PADv2.

For example, JIL Subgroup participation rules defines membership requirements to join the JHAS. Such information may be helpful to create our documents.

*1) https://www.sogis.eu/uk/detail_operation_en.html