iTC Meeting Minutes 2023 07 20 - DSC-iTC/cPP GitHub Wiki
Call started at 12:03pm EDT
The call started with a quick discussion on the pull requests. Brian pointed out that he had made updates to two that had been conditionally approved and was waiting for further approval and that another one had been created to add more sites to check for vulnerabilities. These should be approved for merging.
Brian then reviewed the project list and pointed out that of the 29 crypto requirements, most are probably resolved by the Crypto WG updates. He is working on getting all those changes into the draft now and has a draft pull request for the work.
The call then moved on to discussing the changes and the comments being collected for the Crypto WG. Brian had posted a review of the changes and Yi had provided her own analysis. Brian is using these to add the new SFRs and replace existing ones. From this he is generating comments to provide back to the WG. He will send those comments around before the end of the week so there is time for the iTC to consider or add more.
Of the requirement changes the one that seems to be the potentially biggest issue is the change from FCS_CKM.2 to the new FCS_CKM.2 and FCS_CKM_EXT.7. Since all the algorithms from both are wanted (they are all included in the current iteration of FCS_CKM.2), there is a question about how to make these selectable. Brian asked if we could assume every product would have one or the other and then to make the other one optional, but that didn’t seem to be the case. Brian then wondered if we would get it for "free" with the CC:2022 changes, bringing in some dependencies with new or updated requirements from that change. This isn’t known yet, so for the time being both new SFRs would be left in the same mandatory location until we had a determination of how to handle it (so they would both be seen).
Brian then said the major concern he has is on the hardware attacks. Shawn said we need some SMEs for that, and everyone agreed. Brian said he would see about reaching out to someone he knows from BSI to see if they have any thoughts or could provide some assistance as the questions came from BSI. Brian also wondered if this may be able to be handled without getting into too many details but leveraging the JIL document that is referenced (though that is 60 pages of info that is not readily usable without a bit of work).
The call ended at 12:59pm EDT.