Unless these are not already adequately covered elsewhere:
1. Assuming that there is a PWG plug-in, how will end customers
obtain it? Windows Update? Eventually, in the Windows Server 20XX
distribution? Optional download from Microsoft? Download from PWG? Or?
2. If there are vendor-specific extensions to the plug-in, how will
end customers obtain those?
3. Once customers have the attribute definitions for assessing HCDs,
how will they obtain the appropriate values? (e.g., what is the
current firmware revision for vendor X, product Y?). By what
mechanism will those be maintained by vendors?
4. How will customers be assured that the sources for the plug-in,
extensions, and current values have not been spoofed, and that
their contents have not been tampered with?
--
Regards,
Brian Smithson
PM, Security Research
PMP, CSM, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ids/attachments/20090730/3a0c92ae/attachment-0001.html>