List of participants included in the meeting report annex.
> Please note: We will adjurn at 10.30 ETSI time
**Approval of the Agenda**
### 1.3 IPR Call & Antitrust and Code of Conduct reminders (in Annex A)
---
## 2. Meeting Session
### 2.1 Contributions
Thomas, Vasilii, Chris
### 2.2 Review of work done
Mapping to CRA and EUSR
Import from earlier document
### 2.3 Distribution of tasks
_________
NOTES:
## Key Achievements
-**100% CRA Coverage**: Cesare successfully mapped all requirements to CRA and USR with complete coverage
-**Document Restructuring**: Requirements moved from 4.6 to 5.0 section while maintaining subnumbering for issue tracking
## Major Discussion Topics
### 1. Password Generation Requirements
**Decisions:**
- Mandate cryptographically secure random number generators (CSRNGs) for all password generation
- User-defined composition rules should be optional, not mandatory
- Remove Note 3 regarding minimum entropy requirements (password managers often don't know target system requirements)
### 2. Master Password Authentication
**Approach:** Capability-based requirements - only apply if password manager implements master password authentication
**Key Points:**
- Debate on minimum character requirements (12+ vs flexibility)
- Need to define what constitutes a "master password" vs OS authentication
- Consider multi-factor authentication as separate capability
### 3. Cryptography Standards
**Decision:** Reference ENISA's ECCG document instead of specifying cryptographic details
- Removes need to specify specific algorithms or rounds
- Makes standard more maintainable as crypto requirements evolve
- Post-quantum cryptography discussion tabled - may include general statement about future readiness
### 4. Security Theater Concerns
**Thomas raised concerns about requirements that provide minimal security value:**
- Memory clearing after password use
- Clipboard clearing after copy/paste
- Storing generated passwords before user acceptance
**Agreement:** Review all requirements for potential security theater elements
### 5. Autofill Functionality
**Issues Discussed:**
- Strict domain matching may harm usability
- HTTP site restrictions (some valid use cases exist in intranets)
- Need to balance security vs usability based on context (enterprise vs consumer)
- Replace "whitelist/blacklist" terminology with "acceptlist/denylist"
### 6. Passkeys
**Decision:** Include passkeys in scope
- Create capability section for passkey management
- Wish we could reference FIDO Alliance standards
## Action Items
### Daniel (To complete before next meeting)
- [ ] Review all threats and requirements for potential security theater elements
- [ ] Create passkey capability section with associated risks and requirements
- [ ] Remove/prune specific cryptographic algorithm references from document
- [ ] Convert 2FA requirements into separate capability section
- [ ] Create logging as a separate capability
- [ ] Clean up issues discussed today and publish next version
- [ ] Review capability-based approach clarity throughout document
### For Next Meeting Discussion
- [ ] Review security theater analysis results
- [ ] Discuss passkey requirements in detail
- [ ] Clarify distinction between minimum requirements vs capability-based requirements
### Administrative
- [ ] Cesare's CyberStand contract ends October 31, 2025
- [ ] Next meeting scheduled in two weeks
## Key Principles Established
1.**Capability-Based Approach**: Requirements apply only when specific capabilities are implemented
2.**Avoid Over-Prescription**: Balance security with usability, especially for consumer products
3.**Focus on Real Threats**: Prioritize addressing password reuse, weak passwords, and adoption over edge cases
4.**Cryptographic Agility**: Reference external standards rather than hardcoding algorithms
## Open Questions for Future Discussion
- Should password managers be required to support passkeys?
- Where to draw the line between enterprise and consumer requirements?
- How to handle post-quantum migration requirements given evolving standards?
- Definition of "explicit user interaction" for credential insertion
## Next Steps
- Daniel to circulate updated draft with discussed changes
- Team to review security theater analysis before next meeting
---
## Annex A: ETSI IPR Call, Antitrust reminder and Code of conduct
### A.1 IPR Call
The attention of the members and participants of this TB is drawn to the fact that ETSI members and participants shall use reasonable endeavours under Clause 4.1 of the ETSI IPR Policy, Annex 6 of the Rules of Procedure, to inform ETSI of Essential IPRs in a timely fashion. This section covers the obligation to notify its own IPRs but also other companies’ IPRs. The members and participants take note that they are hereby invited:
- to investigate in their company whether their company does own IPRs which are, or are likely to become Essential in respect of the work of the TB,
- to notify to the ETSI Director-General all potential IPRs that their company may own, by means of the IPR Information Statement and the Licensing Declaration forms through the ETSI IPR online database application at https://ipr.etsi.org/.
Only under exceptional circumstances and if instructed by the ETSI Secretariat, paper declarations may be allowed using the forms provided by the ETSI Secretariat similar to the on-line forms.
Members and participants are encouraged to make general IPR undertakings/declarations that they will make licenses available for all their IPRs under FRAND terms and conditions related to a specific standardization area and then, as soon as feasible, provide (or refine) detailed disclosures.
For further details, please refer to: http://www.etsi.org/about/how-we-work/intellectual-property-rights-iprs.
---
### A.2 Antitrust and Competition Reminder
The attention of the members of this Working Group is drawn to the fact that ETSI activities are subject to all applicable antitrust and competition laws and that compliance with said laws is therefore required of any participant of this meeting including the Chair and Vice Chair.
The leadership shall conduct the present meeting with impartiality.
In case of question, it is recommended that you contact your legal counsel.
---
### A.3 Code of Conduct for ETSI Members
This Code of Conduct is intended as a broad guide to appropriate behaviour while carrying out activities in or for ETSI, particularly in cases where specific rules are not available.
The Code of Conduct is intended to augment the ETSI Directives but does not override them. Generally, the Code of Conduct encourages certain collaborative styles of interaction and discourages behaviour that would harm trust and cooperation between members.
ETSI delegates shall acknowledge that the ETSI organization was set up by the CEPT, composed of European administrations, industry partners and stakeholder groups and that the organization is recognized by EU law as a European Standardisation Organisation, as per Regulation (EU) No 1025/2012.
Delegates should support ETSI operations, including the relationship with European administrations as far as reasonably possible, noting in particular the needs of the EU and EFTA, and the advice provided through their Counsellors.
This Code of Conduct complements other more specific codes, such as the Code of Conduct for Board members.
In general, delegates to ETSI:
- Shall acknowledge that ETSI operates according to the principles of international standardization: consensus, transparency, openness, impartiality, effectiveness, relevance, and coherence.
- Shall acknowledge that, at ETSI, the respect of other delegates, the Secretariat and the professional culture of standardization is foremost.
- Shall acknowledge that consensus-building in the development of ETSI standards should be upheld and respected.
When involved in ETSI activities, delegates to ETSI
- Shall act in meetings and discussions in accordance with ETSI Values (see above).
- Should make sure that discussions and debates take place in a moderate, professional, respectful and friendly manner, without prejudice.
- Unless acting in official roles, are assumed to be presenting ideas according to their best professional judgement.
- Are expected to act in good faith and with due care and diligence, avoid collusive, anticompetitive, or dominant behaviour and to promote a culture of fair and ethical behaviour.
- Are expected to take care to act on a fully informed basis and take decisions with due diligence, in order to engage constructively in ETSI activities.
- Are invited to actively participate in the work of ETSI, providing timely contributions uploaded to the ETSI portal.
- Shall value diversity and act against any discrimination as outlined in the ETSI Values, e.g. regarding gender, race, color, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation.
- Shall acknowledge that speakers should not be interrupted; delegates may speak once recognized by the convenor/Chair of the call or meeting. Speakers should keep their interventions short and to the point.
- Should take the views of all meeting attendees (including those whose first language is not English) into consideration.
- Shall inform the Chair or the Secretariat of any issue requiring escalation so a solution may be reached in a timely manner. The member(s) concerned will use all means to endeavour to solve the issue through the appropriate mechanisms with the help of other members and will respect and uphold the outcomes of such resolution mechanisms.
- Are expected to endeavour to avoid conflict of interest. If any actual or potential conflicts of interest are identified, they shall immediately be disclosed through the appropriate mechanisms.
- Shall take into account the interests and the objectives of the European Union, e.g. as laid down in EU legislation, EU policy documents or outlined by ETSI’s Counsellors, when developing deliverables in support of EU policies and legislation.
Additionally, ETSI Chairs and Vice-Chairs
- Are expected to act in their official roles according to their best professional and neutral judgement, independent of the interests of their supporting organization.
- Are expected to facilitate discussions across different cultures, inclusively, so that decisions align with ETSI Values, protection of minority rights, gender neutrality etc.
- Shall maintain strict impartiality and act in their roles in the interest of ETSI and its members.
- Shall ensure that the ETSI Guidelines for Antitrust Compliance are followed.
- Shall remind delegates of the highlights of these full CoC guidelines at the start of each meeting (at the same time as Antitrust and IPR reminders).
---
## List of Participants
to be downloaded from etsi portal
| Title | Lastname | Firstname | ORGA SHORT NAME | ORGA COUNTRY CODE |
