Commit f93f59b2 authored by Daniel Thompson-Yvetot's avatar Daniel Thompson-Yvetot
Browse files

meeting notes

parent db78ff80

meetings/Pw_6-18_September_2025.md

+91 −3
Original line number Diff line number Diff line 
# CYBEREUSR(25)PW00#

# CYBEREUSR(25)PW006



---
@@ -47,15 +47,103 @@ List of participants included in the meeting report annex. 
## 2. Meeting Session



### 2.1 Contributions

- 



### 2.2 Review of work done





### 2.3 Cryptography



### 2.4 Distribution of tasks



_________



# Notes from Daniel



## Meeting Overview



The meeting focused on reviewing the draft ETSI 304-618 standard for password managers under the Cyber Resilience Act. Daniel presented significant progress on Chapter 4, addressing scoping, risk assessment, and cryptographic requirements. The team is working toward a mature draft submission by end of September 2025.



## Key Discussion Topics



### 1. **Draft Document Progress**

- Daniel has completed substantial work on Chapter 4, focusing on:

  - In-scope and out-of-scope components

  - Deployment models (local, cloud-based, hybrid, browser extension, enterprise, hardware-based)

  - Use cases and risk considerations

  - Core architecture components

  - Quantum-resistant cryptography requirements



### 2. **Cryptographic De Minimis Concept**

- Daniel introduced "cryptographic de minimis" - a threshold concept for cryptographic requirements

- Manufacturers must declare exact cryptographic configurations above this threshold

- Allows market surveillance authorities to verify cryptographic compliance against current standards

- Addresses the challenge of cryptographic standards evolving (e.g., RSA modulus requirements changing December 31, 2025)



### 3. **ENISA Cryptographic Guidance**

- Discussion of ENISA's European Cybersecurity Certification Group document on agreed cryptographic mechanisms

- Key deadline: RSA with modulus less than 3000 bits deprecated after December 31, 2025

- Need to reference authoritative sources without making them binding in the standard



### 4. **Risk Assessment Approach**

- Framework: Capability → Condition → Threat → Risk → Requirement

- Need to expand the risk catalog (currently considered too small)

- Discussion on combining universal risks with deployment-specific risks



## Decisions Made



1. **GitLab as primary review platform** - Comments should be submitted via GitLab issues with specific line references

2. **Cryptographic requirements approach** - Will not specify exact algorithms but require manufacturers to declare their cryptographic implementations for CAB/MSA verification

3. **Meeting schedule** - Confirmed next meeting for September 25, 2025 (23B presentation)

4. **Tuesday collaboration** - Daniel and Chizandre will meet Tuesday, 2:00-3:00 PM to work on requirements mapping



## Action Items



### Immediate (Before Next Meeting - September 25)



| Owner | Task | Due Date |

|-------|------|----------|

| **All Members** | Review draft document and provide feedback via GitLab | Sept 24 |

| **Marzo** | Map CRA Annex I requirements to document sections | Sept 24 |

| **Daniel & Marzo** | Joint working session on requirements mapping | Sept 24, 2-3 PM |

| **Chris/NCSC** | Submit formal comment on cryptographic de minimis approach (Issue #6) | Sept 24 |

| **All Members** | Spend 30 minutes reviewing Chapter 4 draft | Sept 24 |



### Ongoing Tasks



| Owner | Task | Target |

|-------|------|--------|

| **Daniel** | Complete Chapter 5 outline with risk-based assessment | Sept 25 meeting |

| **Daniel** | Collate Annex A & B risk assessments into usable format | Sept 25 meeting |

| **Team** | Identify missing risks in current catalog | Ongoing |



## Key Technical Points Raised



1. **Cryptographic Agility** - Products must demonstrate ability to update cryptographic primitives without full recertification

2. **Quantum Resistance** - Hybrid cryptographic approaches required for future-proofing

3. **Update vs. Recertification** - Need clarification on when cryptographic updates trigger recertification requirements





## Open Questions for Escalation



1. Whether cryptographic algorithm updates constitute "substantial modification" requiring full recertification

2. Specific guidance on post-quantum transition requirements

3. How conformity assessment bodies (CABs) will verify cryptographic implementations in practice



## Next Steps



1. Mature draft presentation at meeting 23B (September 25, 2025)

2. Sandra (new chair) will assess completion percentage

3. October/November alignment meeting with other rapporteurs on risk level identification

4. Final standard submission target: September 2026



## Document Status

- **Current completion estimate:** Substantial progress on Chapter 4, Chapter 5 pending

- **Critical path items:** Requirements mapping, risk catalog expansion, cryptographic guidance integration

- **Publication readiness:** Will be assessed at next week's meeting



---

*Note: The team emphasized this is a collaborative effort requiring active contribution from all members. The standard aims to be practical for manufacturers while ensuring robust security requirements for password managers under the CRA.*









---