Unverified Commit 9ea6a11e authored by Miguel Fornés's avatar Miguel Fornés Committed by Aki Braun
Browse files

Resolve #321: Clarify acceptable transmission of personal data for authentication

parent 092dbb25
Loading
Loading
Loading
Loading
+2 −2
Original line number Diff line number Diff line
@@ -1035,9 +1035,9 @@ The product shall not collect data unnecessary for the operation of the product.
* Reference: TR-DMIN
* Requirement: **REQ-DM-0ky3f**
* Objective: Data minimization
* Preparation: Packet capture during typical hour of use and document all data sent to the VPN manufacturer
* Preparation: Packet capture during typical hour of use and document all data sent to the VPN manufacturer.
* Activities: Review the documentation of the packet capture for any form of Personal Data. Identify if any captured Personal Data originates from the tunneling functionality or is otherwise outside the documented scope of necessary authentication/access control.
* Verdict: If there is any Personal Data collected that is not strictly necessary and explicitly justified for authentication, access control, or subscription management => PASS, otherwise FAIL
* Verdict: If there is any Personal Data collected that is not strictly necessary and explicitly justified for authentication, access control, or subscription management => FAIL, otherwise PASS
* Evidence: Packet capture alongside the manufacturer's documentation justifying the necessity of any transmitted authentication data.

#### 5.2.12.4 MI-NPER-3: Minimize Personal Data required for use, service provisioning and payment (### 5.8.N DM)