Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Draft Technical Descriptions

Hi Tobie, all


I added some comments about confidential computing and hypervisors. I created a PR for this. Is this the right approach? https://github.com/orcwg/cra-hub/pull/182

Specifically, I think it's confusing where the following elements fall:

  • vTPMs; do these fall under the same category of TPMs? I would assume not, because that definition explicitly mentiones "hardware components". What about vTPMs that are middleware layers on top of hardware TPMs?
  • Hardware components that provide TEE functionality: Do these fall under "secure elements"? They are (at minimum) used for very similar functionality as TPMs, and protect data. But they're not explicitly mentioned, and they could also just fall under "Microprocessors with security-related functionalities". My intuition is that these should fall into the same category as TPMs, because they're also tamper-resistant microprocessors that protect data and keys. Not just general security components.
  • Hardware hypervisors: do these fall under hypervisors or under "Microprocessors with security-related functionalities"?

In my opinion, the most confusing part is the category of "secure elements", because this seems to be an afterthought in the larger category of "smartcards", even though it explicitly mentions TPMs, which are very unlike smartcards. Smartcards are tamper-resistant devices while TPMs are tamper-resistant components of larger devices.


     
Merlijn Sebrechts, PhD
Senior researcher
IDLab, Ghent University, in collaboration with imec
Use my booking page to meet with me
     


From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> on behalf of Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>
Sent: Monday, 24 March 2025 13:59
To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Tobie Langel <tobie@xxxxxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] Draft Technical Descriptions
 
Hi all,

I've made it easier to link to specific definitions in the draft implementing act. For example, the definition for operating systems is here: https://github.com/orcwg/cra-hub/blob/main/product-definitions/input-to-draft-regulation.md#important_class_i_11

I've also added these to the open pull requests so it is easier to see the comments and proposed changes. For example, here's my comment and proposed changes for pull request #177 on browsers: https://github.com/orcwg/cra-hub/blob/tobie-prod-def-browsers/product-definitions/input-to-draft-regulation.md#important_class_i_2

I do want to remind people that the window for input is closing quickly and I'm not seeing any uptake on providing comments or proposed changes. Does this mean people are globally satisfied with the proposed definitions?

If not, please consider providing some input quickly and if you're struggling on how to do this, please let me know asap.

Thanks,

--tobie

On Wed, Mar 19, 2025 at 11:59 PM Tobie Langel <tobie@xxxxxxxxxxxxxx> wrote:
Hi all,

Quick Follow-up on providing input to the technical description of important and critical product categories.

Please find our process for collecting comments and proposed changes here: https://github.com/orcwg/cra-hub/tree/main/product-definitions

And please find a first example of a comment to get us started right here: https://github.com/orcwg/cra-hub/pull/177

Looking forward to your input.

Thanks,

--tobie

On Sat, Mar 15, 2025 at 5:10 PM Tobie Langel <tobie@xxxxxxxxxxxxxx> wrote:
Thanks for sharing, Steffen.

We'll be addressing this during Monday's SIG meeting.


And a related pull request: https://github.com/orcwg/cra-hub/pull/164

Thoughts welcome,

--tobie

On Fri, Mar 14, 2025 at 12:50 AM Steffen Zimmermann via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
Hi all,

as you might have seen already, the Draft Technical Descriptions have been published on the EC website.

Time until April 10th for comments.

The Expert Group CRA of the will then be in charge, together with the Commission, to improve the definitions based on the comments received. 

Best Regards,

Steffen Zimmermann
Industrial Security @ VDMA

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top