Lesson 7: From Requirements to Specific Solutions
CROMERR Requirements Set Performance Goals
- They specify WHAT your system must be able to do
- But, they do not specify the HOW your system does what it does—except, to a very limited extent, for the identity-proofing requirements in the case of Priority Reports As defined in § 3.3 of CROMERR, the reports listed in Appendix 1 to part 3..
CROMERR Requirements DO NOT Dictate Specific Approaches To:
- System functions
- Operating procedures
- System architecture
- Technologies used
While currently available technologies may limit the choice of solutions for some of CROMERR's requirements, the requirements are written to allow the range of choices to expand as new technologies and products emerge.
The task is to decide on particular solutions to meet the general performance goals.
CROMERR Requirement: Provide an opportunity to review COR As defined in § 3.3 of CROMERR, a true and correct copy of an electronic document received by an electronic document receiving system, which copy can be viewed in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information. A copy of record includes: 1) All electronic signatures contained in or logically associated with that document; 2) The date and time of receipt; and 3) Any other information used to record the meaning of the document or the circumstances of its receipt. in a human-readable format
- Requirement allows:
- Delivery on paper, on magnetic or optical media, or electronically
- Delivery via online session, offline electronic transfer, or freight or postal carrier
- Creation from data in a database or a copy of what was submitted
- Solution could involve:
- Printing to paper or disks
- Client-server transactions, file-transfer or email, or the U.S. Postal Service
- XML or XSL formatting, PDF file capture, or other report generation functionality
CROMERR Requirement: Issue (or register) a signing credential in a way that minimizes risk of compromise In relationship to an electronic signature device, refers to when the device's code or mechanism is available for use by any other person.
- Requirement allows:
- Creation of credential by registrant, system, or third party
- Credentials based on shared secrets (PINs or passwords), encrypted objects, biometrics, knowledge-based queries (KBQs), or physical tokens