Re: [open-regulatory-compliance] Draft Technical Descriptions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] Draft Technical Descriptions

From: "Merlijn Sebrechts (UGent-imec)" <Merlijn.Sebrechts@xxxxxxxx>
Date: Wed, 26 Mar 2025 14:35:16 +0000
Accept-language: en-150, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ugent.be; dmarc=pass action=none header.from=ugent.be; dkim=pass header.d=ugent.be; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9vdBuXtQWCb6Ce5GAb+gJIcbUQvJP6hoNDxyVVpp5kM=; b=fgnFpNWG582rNH6PNWvWNP3VOr9XlefklNL9ZOtu/siTr2SGwyt7GKjWKSp3s6DkcvoiMGurQJ1Z8Q9EV6OyTK8BUb9GcqgSGZ8bkPjGKMgrYKVxk4lTe3rA5MgEtcBQ0sSDzsBKmn2bSSSIBDhNCz8/R1T4Hg628M9ZTuooExwdEZEOp4Ldty25s41olfJC6F5PTPojSI0l0qrSAMFJqgu4X7iA0xo8ApNTWEh0J+wTftngl8+zxAGTygIk82x98BVmOy/7YU9dzkmvmfe15cuqRT/eqvVaFDyP9jGEcrS5xnYU++kwVRGq8fXVaK7SQfIAm37HHqsMyKu1gvMAbQ==
Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gqAo0dt95Pm/f5UGO7O5rmkc+ENwz1axpr60iT5NXY37KzI4i6y5cQvyb6zVw1ZnhdSlOtKtvn+HDqWG7uNHKS30kW2ouMcpEaimP6gSWMlLvfn5nYcpk/pFCI6B6TWMfIyxmNkxb5IxT/K6HxY3C3n2fMnDffUWUqgNPo26QwE4yT0cG83TE8Nj4gSbKOJvbwFTF274jW6hVNtTaNR2VgsTdS2D2HGpO2CaeIl2BTLaZBTZEY8MPOKHJexuNWCLLDfpS2d+dX6IT/mxZSlaU8g4b0cYYaKyvO4+nbiL6206Ay/WldMT4fTc2bGmdTnfbTYNAKY6Ok1UIWW3IDn8YA==
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
Msip_labels:
Thread-index: AQHblHKldmU6b3xN2EOl/lKjPVhO17N0YLOAgAa7aACABzQaAIADPZei
Thread-topic: [open-regulatory-compliance] Draft Technical Descriptions

Hi Tobie, all

I added some comments about confidential computing and hypervisors. I created a PR for this. Is this the right approach? https://github.com/orcwg/cra-hub/pull/182

Specifically, I think it's confusing where the following elements fall:

vTPMs; do these fall under the same category of TPMs? I would assume not, because that definition explicitly mentiones "hardware components". What about vTPMs that are middleware layers on top of hardware TPMs?
Hardware components that provide TEE functionality: Do these fall under "secure elements"? They are (at minimum) used for very similar functionality as TPMs, and protect data. But they're not explicitly mentioned, and they could also just fall under "Microprocessors with security-related functionalities". My intuition is that these should fall into the same category as TPMs, because they're also tamper-resistant microprocessors that protect data and keys. Not just general security components.
Hardware hypervisors: do these fall under hypervisors or under "Microprocessors with security-related functionalities"?

In my opinion, the most confusing part is the category of "secure elements", because this seems to be an afterthought in the larger category of "smartcards", even though it explicitly mentions TPMs, which are very unlike smartcards. Smartcards are tamper-resistant devices while TPMs are tamper-resistant components of larger devices.

Merlijn Sebrechts, PhD

Senior researcher

IDLab, Ghent University, in collaboration with imec

Use my booking page to meet with me

From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> on behalf of Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>
Sent: Monday, 24 March 2025 13:59
To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Tobie Langel <tobie@xxxxxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] Draft Technical Descriptions

Hi all,

I've made it easier to link to specific definitions in the draft implementing act. For example, the definition for operating systems is here: https://github.com/orcwg/cra-hub/blob/main/product-definitions/input-to-draft-regulation.md#important_class_i_11

I've also added these to the open pull requests so it is easier to see the comments and proposed changes. For example, here's my comment and proposed changes for pull request #177 on browsers: https://github.com/orcwg/cra-hub/blob/tobie-prod-def-browsers/product-definitions/input-to-draft-regulation.md#important_class_i_2

I do want to remind people that the window for input is closing quickly and I'm not seeing any uptake on providing comments or proposed changes. Does this mean people are globally satisfied with the proposed definitions?

If not, please consider providing some input quickly and if you're struggling on how to do this, please let me know asap.

Thanks,

--tobie

On Wed, Mar 19, 2025 at 11:59 PM Tobie Langel <tobie@xxxxxxxxxxxxxx> wrote:

Hi all,

Quick Follow-up on providing input to the technical description of important and critical product categories.

Please find our process for collecting comments and proposed changes here: https://github.com/orcwg/cra-hub/tree/main/product-definitions

And please find a first example of a comment to get us started right here: https://github.com/orcwg/cra-hub/pull/177

Looking forward to your input.

Thanks,

--tobie

On Sat, Mar 15, 2025 at 5:10 PM Tobie Langel <tobie@xxxxxxxxxxxxxx> wrote:

Thanks for sharing, Steffen.

We'll be addressing this during Monday's SIG meeting.

Here's a proposal on how to move forward: https://github.com/orcwg/cra-hub/tree/tobie-prod-reg/product-definitions#public-consultations-and-feedback

And a related pull request: https://github.com/orcwg/cra-hub/pull/164

Thoughts welcome,

--tobie

On Fri, Mar 14, 2025 at 12:50 AM Steffen Zimmermann via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi all,

as you might have seen already, the Draft Technical Descriptions have been published on the EC website.

Time until April 10th for comments.

The Expert Group CRA of the will then be in charge, together with the Commission, to improve the definitions based on the comments received.

https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14449-Technical-description-of-important-and-critical-products-with-digital-elements_en

Viele Grüße,

Best Regards,

Steffen Zimmermann
Industrial Security @ VDMA

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

References:
- [open-regulatory-compliance] Draft Technical Descriptions
  - From: Steffen Zimmermann
- Re: [open-regulatory-compliance] Draft Technical Descriptions
  - From: Tobie Langel
- Re: [open-regulatory-compliance] Draft Technical Descriptions
  - From: Tobie Langel
- Re: [open-regulatory-compliance] Draft Technical Descriptions
  - From: Tobie Langel

Prev by Date: Re: [open-regulatory-compliance] Important and Critical product categories - Operating systems
Next by Date: [open-regulatory-compliance] FYI: New OpenSSF requirements for open source projects
Previous by thread: Re: [open-regulatory-compliance] Draft Technical Descriptions
Next by thread: [open-regulatory-compliance] Vulnerability Management presentation to OpenSSF work group
Index(es):
- Date
- Thread

Breadcrumbs