HCD-Assessment-Attributes Comment: "DefaultPasswordEnabled" needs some clarification: 1. What kind of "administrator passwords or other credentials" are included? Only passwords for admin accounts that are security-relevant (e.g., not an administrator password that permits a device admin to change non-security settings)? 2. What kind of credentials? 3. Although not as important as the first clarification, it might be more clear to change the sense of the whole thing to "DefaultPasswordsChanged" (0 = not changed). Comment: During the updates to this HCD-TNC document based on IDS WG review on 6 June 2012, I discovered several mandatory changes to HCD-ATR (and therefore HCD-NAP) which were agreed but NOT implemented in the current versions out for PWG Last Call.  See: ftp://ftp.pwg.org/pub/pwg/ids/minutes/ids-f2f-minutes-20120606.pdf - see especially decisions to change mandatory attributes HCD-NAP Binding See Assessment Attributes comments PWG-Log Comment: Section 3.3 Out of Scope While we're not specifying a standard for any of the mechanisms or functionality in section 3.3, we do include a statement that impacts: 6. Data Protection Policies For instance, in section 6, "Conformance Requirements", #2 and #3 deal specifically with items that would be included in a data protection policy And in section 9 "Security Considerations", we again require integrity protection of the log information. We may want to modify the "out of scope" section to state that we are placing requirements on data protection policies, but not including recommendations for a "soup to nuts" data protection policy for logging information (of course, "soup to nuts" may not be appropriate for the actual text, but hopefully you get the idea) By the way, the sentence in section 9 I'm referring to above is written as: 485. Device MUST provide protection from alteration both on the device and when distributed outside the device. IMHO, this wording should be more specific….something like: Imaging devices MUST provide integrity protection for log message data, both on the device, as well as when the log data is transported outside the device. The original text doesn't explicitly state what might be altered.