CDD: Tighten keystore req

- Tighten the security consistently for Android ecosystem.
- Remove the condition of a secure lock screen for Keystore reqs for
form-factors (i.e. Handheld, Auto, TV) that have adopted keystore reqs.

Bug: 111748530

Change-Id: If7682e1410b52390135627d3edc9724d779a265f

1 files changed, 4 insertions, 3 deletions

diff --git a/9_security-model/9_11_keys-and-credentials.md b/9_security-model/9_11_keys-and-credentials.md
index a9d664aa..76cc51d8 100644
--- a/9_security-model/9_11_keys-and-credentials.md
+++ b/9_security-model/9_11_keys-and-credentials.md
@@ -40,9 +40,6 @@ prevent the keys from being used as device identifiers. One way of meeting this
 requirement is to share the same attestation key unless at least 100,000 units
 of a given SKU are produced. If more than 100,000 units of an SKU are produced,
 a different key MAY be used for each 100,000 units.
-*    [C-1-5] MUST allow the user to choose the Sleep timeout for transition from
-     the unlocked to the locked state, with a minimum allowable timout up to
-     15 seconds.
 
 Note that if a device implementation is already launched on an earlier Android
 version, such a device is exempted from the requirement to have a keystore
@@ -50,6 +47,10 @@ backed by an isolated execution environment and support the key attestation,
 unless it declares the `android.hardware.fingerprint` feature which requires a
 keystore backed by an isolated execution environment.
 
+*    [C-1-5] MUST allow the user to choose the Sleep timeout for transition from
+     the unlocked to the locked state, with a minimum allowable timout up to
+     15 seconds.
+
 ### 9.11.1\. Secure Lock Screen
 
 The AOSP implementation follows a tiered authentication model where a