Commit c221cb82 authored by Valerie Aurora's avatar Valerie Aurora
Browse files

Remove inconsistent bolding of reqs/mitigations

parent d56813c3

clauses/5.Requirements.md

+15 −15
Original line number Diff line number Diff line
@@ -704,13 +704,13 @@ The VPN client shall clearly inform the user about the operator of the DNS serve 
| UC-3             | DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-5, DNSL-6, DNSL-7, DNSL-8 |

| UC-4             | DNSL-2, DNSL-4                                                 |



### 5.2.10 **TR-EISO**: Endpoint isolation

### 5.2.10 TR-EISO: Endpoint isolation



#### 5.2.10.1 Requirement



The VPN provider shall by default not establish routes between different client endpoints.



#### 5.2.10.2 **MI-EISO**: No route between different endpoints

#### 5.2.10.2 MI-EISO: No route between different endpoints



The VPN provider shall by default not establish routes between different client endpoints.
@@ -731,13 +731,13 @@ The VPN provider shall by default not establish routes between different client 
|------------------|----------------------|

| all              | EISO                 |



### 5.2.11 **TR-TRAF**: No traffic through the node unless explicitly approved

### 5.2.11 TR-TRAF: No traffic through the node unless explicitly approved



#### 5.2.11.1 Requirement



The VPN client shall not route traffic through the endpoint from sources/destinations other than the endpoint without the user's explicit informed consent, and such routing shall not be necessary for the use of any unrelated function.



#### 5.2.11.2 **MI-TRAF-1**:

#### 5.2.11.2 MI-TRAF-1:



The VPN client shall not implement the capability for routing traffic from sources/destinations other than the endpoint through an endpoint.
@@ -748,7 +748,7 @@ The VPN client shall not implement the capability for routing traffic from sourc 
  * Verdict: No traffic originating from the VPN provider for sources/destinations other than the endpoint => PASS, otherwise FAIL

  * Evidence: Packet capture with annotations of origin of packet



#### 5.2.11.3 **MI-TRAF-2**:

#### 5.2.11.3 MI-TRAF-2:



The VPN client shall disable by default the capability for routing traffic from sources/destinations other than the endpoint through an endpoint.
@@ -759,7 +759,7 @@ The VPN client shall disable by default the capability for routing traffic from 
  * Verdict: No traffic originating from the VPN provider for sources/destinations other than the endpoint => PASS, otherwise FAIL

  * Evidence: Packet capture with annotations of origin of packet



#### 5.2.11.4 **MI-TRAF-3**:

#### 5.2.11.4 MI-TRAF-3:



The VPN client shall alert the user if traffic if the endpoint is allowing traffic from sources/destinations other than the endpoint to be routed through the endpoint.
@@ -770,7 +770,7 @@ The VPN client shall alert the user if traffic if the endpoint is allowing traff 
  * Verdict: User receives some alert or notification that clearly indicates forwarding is enabled => PASS, FAIL

  * Evidence: Record of UI change



#### 5.2.11.5 **MI-TRAF-4**:

#### 5.2.11.5 MI-TRAF-4:



The VPN client shall not require routing of traffic from sources/destinations other than the endpoint to use services that do not require such routing.
@@ -793,13 +793,13 @@ The VPN client shall not require routing of traffic from sources/destinations ot 
| UC-1, UC-2, UC-4 | TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4) |

| UC-3             | TRAF-1                               |



### 5.2.12 **TR-DMIN**: Data minimization

### 5.2.12 TR-DMIN: Data minimization



#### 5.2.12.1 Requirement



The product shall not collect data unnecessary for the functions of the product.



#### 5.2.12.2 **MI-NPII-1**:

#### 5.2.12.2 MI-NPII-1:



The VPN provider shall not collect PII without explicit authorization.
@@ -810,7 +810,7 @@ The VPN provider shall not collect PII without explicit authorization. 
  * Verdict: All PII collected has a record of authorization by the user => PASS, otherwise FAIL

  * Evidence: Packet capture, documentation of PII, authorization, justification



#### 5.2.12.3 **MI-NPII-2**:

#### 5.2.12.3 MI-NPII-2:



VPN provider shall not send PII outside of the endpoint at all.
@@ -821,7 +821,7 @@ VPN provider shall not send PII outside of the endpoint at all. 
  * Verdict: There is no PII collected => PASS, otherwise FAIL

  * Evidence: Packet capture



#### 5.2.12.4 **MI-NPII-3**:

#### 5.2.12.4 MI-NPII-3:



The VPN provider shall not require PII for use of the product, including for payment.
@@ -832,7 +832,7 @@ The VPN provider shall not require PII for use of the product, including for pay 
  * Verdict: If there is any PII in the data entered => PASS, otherwise => FAIL

  * Evidence: The record of data entered with a short description of each part saying why it is not PII



#### 5.2.12.5 **MI-NPII-4**:

#### 5.2.12.5 MI-NPII-4:



The VPN provider shall not store any PII of the user on remote data processing systems.
@@ -896,13 +896,13 @@ If the VPN provider claims to support IPv6, it shall provide full, native IPv6 c 
|------------------|----------------------|

| all              | IPV6-1, IPV6-2       |



### 5.2.14 **TR-CRYPT**: Use strong, VPN specific cryptography

### 5.2.14 TR-CRYPT: Use strong, VPN specific cryptography



#### 5.2.14.1 Requirement



The VPN provider shall use strong cryptography.



#### 5.2.14.2 **MI-CRYPT-1**: Use a PSK

#### 5.2.14.2 MI-CRYPT-1: Use a PSK



The VPN provider shall use a preshared key to mitigate post-quantum decryption
@@ -914,7 +914,7 @@ The VPN provider shall use a preshared key to mitigate post-quantum decryption 
  * Verdict: The configuration file contains a PSK or preshared key => PASS, otherwise => FAIL

  * Evidence: The configuration file



#### 5.2.14.3 **MI-CRYPT-2**: Use conformant encryption

#### 5.2.14.3 MI-CRYPT-2: Use conformant encryption



> TODO-HAS: Fill in below