Closed kgal closed 9 years ago
Have you looked at the comment from Citrix on this issue? I think they make a good point on how this can be changed to not be subjective.
Changed such that developers much provide justificaiton and evaluators much check justification.
Microsoft and Acumen (and others?) questions whether FDP_DEC_EXT.1.3 requiring evaluators to make a judgement on whether an application needs all the privileges it requests is too subjective objective. It is subjective, but we don't really have another way. Are we standing by this?