– DRAFT –
Proposal for Foundational Structural Re-Alignment of EN 304-617 in the Context of the Web Security Model and CRA

Background Information

Slideset: https://docs.google.com/presentation/d/1OapeUcIkXvXAtqmtcchh4HfSYIblMSTPNGfNz8lQ3Zs/edit?ouid=100636309240434757393&usp=slides_home&ths=true and archived PDF copy

[Slide 2]

Brief overview

[Slide 3]

Link: https://labs.etsi.org/rep/stan4cra/en-304-617/-/issues?show=eyJpaWQiOiI5IiwiZnVsbF9wYXRoIjoic3RhbjRjcmEvZW4tMzA0LTYxNyIsImlkIjozMzA1fQ%3D%3D

Feedback of our feedback

[Slide 4]

This session...

[Slide 5]

First and foremost

[Slide 6]

[Slide 7]

Scope

[Slide 11]

[Slide 12]

Eshan: my understanding is that is the scope there is the browser is overlapping with the AI Act, and User Agent, does this definition include those terms, e.g. agentic things?

Simone: good question, the question is that if you have browser (defined by law: https://labs.etsi.org/rep/stan4cra/en-304-617/-/blob/main_publish/EN_CRA_Vertical_Harmonised_Standard_Skeleton_draft.md?ref_type=heads#1-scope)
… and we can use the newer definition of the scope after the reboot:
… [[ Software products with digital elements that enable end users to access, render, and interact with web content and services hosted on servers that are connected to networks such as the Internet. They typically include a browser engine for interpreting and displaying content written in markup language (e.g. HTML), support for web protocols

(e.g. HTTP, HTTPS), the ability to execute scripts and manage user inputs as well as storage of temporary or persistent data from websites (cookies).
… This category includes but is not limited to standalone applications that fulfil the functions of browsers, embedded browsers intended for integration into another system or application as well as browsers with AI agent integration.]]

Corti: it is also important to link this is only for CRA, not for AI Act, but I can talk to ETSI group about this

Clause 4

[Slide 13]

Giovanni: we proposed an approach based on Threat Modeling, as CRA is risk-based
… as threat modeling is the best way for a product to understand the threats connected to a product
… and also this will help them, but we're working in W3C on the Threat Model for the Web, that can also help them

https://w3c.github.io/threat-model-web/

[Slide 14]

Top-down approach

[Slide 16]

Giovanni: in summary, they should start from the legal hook, then understand how this impact a Web Browser
… and also if a requirement is defined in another specification, the idea is to tell them to refer the other spec

[Slide 17]

Giovanni: this is an idea on the reboot work I am doing, legal hook, vermatim text, the section of the reboot of the standard, and if the actual skeleton is missing something

Sum up

[Slide 18]

Q&A

Giovanni: What do you think about of the highlights? Something more that we can do?

Eshan: my feedback, as a personal opinion, is another question, which is the most useful TAG document you would like?

Simone: There is maybe a lack of the web security model, there are some connections

Eshan: Design principles can also be useful for the requirements

Simone: yes, also this is why we should speedup the work on the Threat Model for the Web, having a draft we're happy to share with TAG and work with TAG

Eshan: Another point is about adversting, it is that covered?

Simone: there is something on data minimization, so it can be covered