Generally the 2019 C2 baseline does not include capabilities that rely on hardware based security. Should there be an extension that discusses this topic?
-- Under what circumstances is hardware based security appropriate or necessary?
-- What are the capabilities needed in this category, and for what use cases or boundary conditions?
Note that there is a great deal of material available on hardware based security. So perhaps the question is really, "What protections does the basic C2 baseline lack that hardware-security-plus-C2 does provide?" And if we document that, how can it be presented?
Generally the 2019 C2 baseline does not include capabilities that rely on hardware based security. Should there be an extension that discusses this topic?
-- Under what circumstances is hardware based security appropriate or necessary?
-- What are the capabilities needed in this category, and for what use cases or boundary conditions?
Note that there is a great deal of material available on hardware based security. So perhaps the question is really, "What protections does the basic C2 baseline lack that hardware-security-plus-C2 does provide?" And if we document that, how can it be presented?