Conformance example1 prelim system reqs#155
Conversation
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (1) Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (2a) Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (2b) Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (2c) Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (2d) Signed-off-by: Gregory Shue <greg.shue@outlook.com>
…x I Part I (2e) Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Addressed |
Addressed |
stevenc-stb
left a comment
There was a problem hiding this comment.
some small changes.
Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com> Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
…s/sdoc/index.sdoc Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com> Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
…s/sdoc/index.sdoc Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com> Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
…s/sdoc/index.sdoc Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com> Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
stevenc-stb
left a comment
There was a problem hiding this comment.
found a other copy past error
more
Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com> Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com> Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
…s/sdoc/index.sdoc Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com> Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
…s/sdoc/index.sdoc Co-authored-by: stevenc-stb <steven@smarttalkbeacon.com> Signed-off-by: Greg Shue <32416235+gregshue@users.noreply.github.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
chuckwolber
left a comment
There was a problem hiding this comment.
I think I have more review feedback, but I am not sure where to direct it right away. We may require multiple passes.
| SAMPLE is a Product Line of commodity consumer electronics devices intended for | ||
| markets requiring conformance with the EU Cyber Resilience Act. The range of | ||
| devices supported by this Product Line is expected to expand over time as | ||
| more product types become commoditized. |
There was a problem hiding this comment.
Are you talking about a reusable component intended for inclusion in an OEM product for sale direct to consumers? I think the use of the word commoditized is also a little confusing. I can think of a number of reusable components that are branded (not commoditized), but otherwise purport to fulfill an industry specification that may or may not be implemented by others.
There was a problem hiding this comment.
I am talking about the end products-with-digital-elements being commodity devices. This is informative content rather than normative, so it doesn't have to be proved or verified. Perhaps we need a title/section to make that distinct.
Your question prompted me to look for a definition of "commodity devices". From SUSE.com I found the following:
Commodity hardware, sometimes known as off-the-shelf hardware, is a computer device or IT component that is relatively inexpensive, widely available and basically interchangeable with other hardware of its type. Unlike purpose-built hardware designed for a specific IT function, commodity hardware can perform many different functions. Commodity hardware is usually low-end, broadly compatible and can function on a plug-and-play basis with other commodity hardware products. ...
Generally, commodity hardware can evolve from any technologically mature product. Thus, most hardware products that have been on the market for five years or more are available in commodity versions. ...
USB devices (e.g., Thumb drives) are always branded and each has a serial number. The lowest-cost versions that are functionally identical and provide only standard USB interfaces that pull in common drivers provided by the OS vendor are essentially commodity devices. The business profit model is competing on low price, lower cost, and high volume. I have used the term "commodity devices" to refer to this end of the spectrum.
Please note that some of the electrical components within the commodity devices will also be commodity electronics (e..g, resistors, USB connectors, NAND flash chips), where others will not be (e.g., SOC holding non-standard register interfaces to digital logic blocks).
| These products are NOT expected to be used in industrial or | ||
| safety-critical deployments. |
There was a problem hiding this comment.
Short response: "NOT expected" is a negative requirement, or "negative intent" if you prefer. Neither can be proven. It is probably also true that the product is not expected to be used in an infinite number of ways well beyond industrial and safety-critical deployments. Sticking to what IS intended keeps the burden of proof finite.
Longer response: While I am certain it would not be difficult to find plenty of examples of manufacturers who specifically intend for their component to be used in industrial or safety-critical deployments, I am not sure that kind of intent is the norm. In my experience an OEM chooses a component for its fitness regardless of what the manufacturer intended of it. At that point, the OEM takes responsibility for the outcome. At the highest levels of criticality, component heritage is defined as the operational track record. The component manufacturer is neither responsible for, nor likely aware of, the operational track record of their products they sell to OEMs (failures notwithstanding).
There was a problem hiding this comment.
This is informative content rather than normative, so it doesn't have to be proved or verified. Perhaps we need a title/section to make that distinct.
The EU CRA Annex II item requires the User Documentation to describe "the intended use, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties;"
Yes, there are many hardware components that are specifically intended for safety-critical environments (e.g., automotive grade SOCs vs non-automotive grade). I have also run across similar distinctions for RTOS usages (e.g., Green Hills Software product INTEGRITY-178 tuMP Safety-Critical & Security-Critical RTOS vs. Green Hills Software product INTEGRITY RTOS).
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
stevenc-stb
left a comment
There was a problem hiding this comment.
It Look good to me a draft
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
Signed-off-by: Gregory Shue <greg.shue@outlook.com>
No description provided.