• CROMERR Requirements Set Performance Goals
  • They specify WHAT your system must be able to do
  • But, they do not specify the HOW your system does what it does—except, to a very limited extent, for the identity-proofing requirements in the case of Priority Reports.
• CROMERR Requirements DO NOT Dictate Specific Approaches To:
  • System functions
  • Operating procedures
  • System architecture
  • Technologies used

  While currently available technologies may limit the choice of solutions for some of CROMERR's requirements, the requirements are written to allow the range of choices to expand as new technologies and products emerge.

The task is to decide on particular solutions to meet the general performance goals.

• CROMERR Requirement: Provide an opportunity to review COR in a human-readable format
  • Requirement allows:
    • Delivery on paper, on magnetic or optical media, or electronically
    • Delivery via online session, offline electronic transfer, or freight or postal carrier
    • Creation from data in a database or a copy of what was submitted
  • Solution could involve:
    • Printing to paper or disks
    • Client-server transactions, file-transfer or email, or the U.S. Postal Service
    • XML or XSL formatting, PDF file capture, or other report generation functionality
• CROMERR Requirement: Issue (or register) a signing credential in a way that minimizes risk of compromise
   

  • Requirement allows:
    • Creation of credential by registrant, system, or third party
    • Credentials based on shared secrets (PINs or passwords), encrypted objects, biometrics, or physical tokens

Back | Next