@@ -336,16 +336,18 @@ The following types of products have reduced or varied requirements under Regula
## 4.4 Use cases
> Create a list of representative use cases, each one representing a different threat profile. If the threat profile is the same for two use cases, then it is basically the same use case for the purposes of the present document. Use cases should include both intended and reasonably foreseeable use/misuse. Use cases don't include industrial operations, automotive, transport, marine, airplane, medical, military, national security, etc.
***UC-1** Individual consumer
* Client installed on personal devices like mobile phone, portable or desktop computer
* Securing traffic on untrusted networks
* Bypassing georestricted content
> When you have many use cases, group them into 3 - 5 levels of risk. These will probably be your security levels.
***UC-2** Privacy conscious user
* Client installed on router or other network level
* Obfuscating traffic and IP to avoid tracking by ISPs, data brokers
### 4.4.1 Consumer VPN service
- Generally intended for one user or one home network to connect to a public network via a trusted server
- Associated servers controlled by commercial service
- VPN client installed on end user device(s)
- Intended to bypass potentially-unsafe networks such as unsecured Wi-Fi, obfuscate user IP address, and circumvent censorship.
***UC-3** Journalist or activist
* At high risk of surveillance
* Actively circumventing censorship
## 4.5 Security levels
@@ -359,7 +361,6 @@ EXAMPLE1: A consumer seeking increased privacy on public Wi-Fi installs VPN c
EXAMPLE2: While traveling overseas, a consumer installs and connects to a commercially-available VPN to direct their traffic through their home country in order to access their home bank's website which is geographically-restricted to locations their customers live.
## 4.6 Essential functions
> List the essential functions of the product, including:
@@ -413,7 +414,9 @@ EXAMPLE2: While traveling overseas, a consumer installs and connects to a commer
> Describe the expected support period and its impact on security risks. Generally the support period should be at least 5 years, shorter or longer according to the expected period of use. See Article 13.8 and Recitals 59 - 62 of the CRA for more information.
::include{file="clauses/5.Requirements.md"}
# 5 Requirements specifications
::include{file=clauses/5.Requirements.md}
# Annex A (informative): Mapping between the present document and CRA requirements
