iTC Meeting Minutes 2024 01 18 - DSC-iTC/cPP GitHub Wiki
Call started at 12:02pm EST
-
Yi will provide a proposed update to PR #207
The call started with a review of the open Pull Requests. Pull Requests #208 - #216 were merged with minimal discussion.
After merging those changes, the next topic was PR #207. This generated a lot of discussion regarding whether or not PBKDF should be included as an online hammering protection method or not since it is really about key generation, not authentication protection. It was stated that while it may not be explicitly designed for that purpose, the workload capability of the algorithm has meant that in the past it has been used in that manner. Brian pointed out that the v1.0 requirement was all tied into the PBKDF requirement that forced high rounds, and that the modification in the TD allowed other methods for providing the equivalent workload in terms of cost for guessing the credential. It was agreed that PBKDF is not necessary, but has been used in the past. Brian agreed this could be removed, but based on the previous version, seemed to be needed with the split of the requirements (bringing in the FCS_CKM_EXT.8 from the crypto catalog).
The main point of this new requirement was that it was a mandatory requirement to prevent online authentication hammering, not cryptographic specifically, just authentication. As such the need for the PBKDF may not be high. Brian also pointed out that some of the question about limits (like attempts allowed per time) have been specified in FIA_SOS.2, which may not be the right place for it, but does seem to set some minimum expectations.
Yi will propose an update to the PR and will be reviewed for the next call.
Brian then quickly reviewed PR #217 about the sessions description. There was some question about whether the DSC cannot have outside connections on its own, or maybe that the sessions needs to be specifically set for platform access and doesn’t apply to outside connections.
Brian also noted that one confusing part in the sessions PR was the use of "CA" which normally means Certificate Authority and not Client Application as it does in the cPP. He created an issue to change CA → CApp to remove this ambiguity.
Lastly there was a comment about roles. Brian stated he has an idea about how to modify the roles description to make it work better in the document and will have a PR ready for the next call.
The call ended at 1:07pm EST.