From 3259984d1c864c1fcb2c8a8d29f8a4eab8a3b04b Mon Sep 17 00:00:00 2001 From: Benjamin Admin Date: Thu, 25 Jun 2026 11:44:56 +0200 Subject: [PATCH] Fill semantic control->obligation_id (4/7; V16 pending logging cut) V6.x->user_authentication_required, V11.2.1->credential_confidentiality_protection, V11.7.1->auth_key_management; semantisch (NICHT CRA-Anker, die sind approximativ). V16.x pending bis Logging-Cut. anchor_quality_note dokumentiert. Co-Authored-By: Claude Opus 4.7 --- .../controls_for_obligation_mapping.json | 80 +++++++++---------- 1 file changed, 38 insertions(+), 42 deletions(-) diff --git a/obligations/controls_for_obligation_mapping.json b/obligations/controls_for_obligation_mapping.json index 12848311..66b44e8c 100644 --- a/obligations/controls_for_obligation_mapping.json +++ b/obligations/controls_for_obligation_mapping.json @@ -2,70 +2,66 @@ "schema_version": "controls_for_obligation_mapping_v1", "purpose": "Accepted CRA->OWASP controls (Compliance Execution Graph) for the Obligation Registry to propose the SEMANTIC control->obligation_id, replacing the coarse citation_unit interim join. Fill proposed_obligation_id per control, then we adopt it into control_mapping.obligation_id.", "source": "ai-compliance-sdk control_mappings, mapping_status=accepted, reviewed_by=benjamin 2026-06-25", + "filled_by": "obligation-registry-session 2026-06-25", + "join_principle": "SEMANTISCH via obligation_id, NICHT via citation_unit/legal_basis-Anker. Die CRA-Anker sind im Registry teils approximativ (siehe anchor_quality_note) — daher ist obligation_id der stabile Primaerschluessel, nicht der Anker.", + "anchor_quality_note": "Registry-legal_basis-Anker sind teils CRA-Part-I-fehlzugeordnet (Opus-Synthese): user_authentication_required steht auf (2)(d) statt (2)(c); Crypto-Obligations auf (2)(e) statt (2)(d). CRA Annex I Part I: (2)(c)=Zugriffsschutz, (2)(d)=Vertraulichkeit, (2)(e)=Integritaet. Korrektur kommt mit dem zitierfaehigen Re-Ingest (span-genau). Deshalb: NICHT auf Anker joinen.", "count": 7, "controls": [ { - "framework": "OWASP ASVS", - "control": "V6.3.1", + "framework": "OWASP ASVS", "control": "V6.3.1", "source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", - "citation_unit": "Annex I (2)(c)", - "family": "auth", - "mapping_type": "supports", - "proposed_obligation_id": "" + "citation_unit": "Annex I (2)(c)", "family": "auth", "mapping_type": "supports", + "proposed_obligation_id": "user_authentication_required", + "mapping_method": "semantic", + "mapping_note": "Zugriffsschutz/Authentisierung-vor-Zugriff = Nutzer-Auth (NICHT firmware, trotz strukturellem (2)(c)-Join)" }, { - "framework": "OWASP ASVS", - "control": "V6.1.1", + "framework": "OWASP ASVS", "control": "V6.1.1", "source_norm": "CRA Annex I Part I (2)(c) — Schutz vor unbefugtem Zugriff", - "citation_unit": "Annex I (2)(c)", - "family": "auth", - "mapping_type": "supports", - "proposed_obligation_id": "" + "citation_unit": "Annex I (2)(c)", "family": "auth", "mapping_type": "supports", + "proposed_obligation_id": "user_authentication_required", + "mapping_method": "semantic", + "mapping_note": "wie V6.3.1" }, { - "framework": "OWASP ASVS", - "control": "V11.2.1", + "framework": "OWASP ASVS", "control": "V11.2.1", "source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", - "citation_unit": "Annex I (2)(d)", - "family": "crypto", - "mapping_type": "supports", - "proposed_obligation_id": "" + "citation_unit": "Annex I (2)(d)", "family": "crypto", "mapping_type": "supports", + "proposed_obligation_id": "credential_confidentiality_protection", + "mapping_method": "semantic", + "mapping_note": "Vertraulichkeit von Auth-Daten. ALT: encrypted_auth_channel, falls V11.2.1 transit-/kanal-spezifisch ist — bitte aus eurem Control-Text bestaetigen." }, { - "framework": "OWASP ASVS", - "control": "V11.7.1", + "framework": "OWASP ASVS", "control": "V11.7.1", "source_norm": "CRA Annex I Part I (2)(d) — Vertraulichkeit / Verschluesselung", - "citation_unit": "Annex I (2)(d)", - "family": "crypto", - "mapping_type": "supports", - "proposed_obligation_id": "" + "citation_unit": "Annex I (2)(d)", "family": "crypto", "mapping_type": "supports", + "proposed_obligation_id": "auth_key_management", + "mapping_method": "semantic", + "mapping_note": "Key Management = Schluessel erzeugen/speichern/HSM" }, { - "framework": "OWASP ASVS", - "control": "V16.3.3", + "framework": "OWASP ASVS", "control": "V16.3.3", "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", - "citation_unit": "Annex I (2)(k)", - "family": "logging", - "mapping_type": "supports", - "proposed_obligation_id": "" + "citation_unit": "Annex I (2)(k)", "family": "logging", "mapping_type": "supports", + "proposed_obligation_id": "", + "mapping_method": "pending_logging_cut", + "mapping_note": "wird auf logging_* gemappt, sobald der Logging-Cut synthetisiert ist" }, { - "framework": "OWASP ASVS", - "control": "V16.3.4", + "framework": "OWASP ASVS", "control": "V16.3.4", "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", - "citation_unit": "Annex I (2)(k)", - "family": "logging", - "mapping_type": "supports", - "proposed_obligation_id": "" + "citation_unit": "Annex I (2)(k)", "family": "logging", "mapping_type": "supports", + "proposed_obligation_id": "", + "mapping_method": "pending_logging_cut", + "mapping_note": "wird auf logging_* gemappt, sobald der Logging-Cut synthetisiert ist" }, { - "framework": "OWASP ASVS", - "control": "V16.1.1", + "framework": "OWASP ASVS", "control": "V16.1.1", "source_norm": "CRA Annex I Part I (2)(k) — Sicherheitsrelevante Ereignisse / Logging", - "citation_unit": "Annex I (2)(k)", - "family": "logging", - "mapping_type": "supports", - "proposed_obligation_id": "" + "citation_unit": "Annex I (2)(k)", "family": "logging", "mapping_type": "supports", + "proposed_obligation_id": "", + "mapping_method": "pending_logging_cut", + "mapping_note": "wird auf logging_* gemappt, sobald der Logging-Cut synthetisiert ist" } ] }