<div dir="ltr"><div>Here is an updated redline based on today's discussion.</div><div><br></div><div><a href="https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:edf579f3b15e962720f6741b27bf3fefda88cf00">https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:edf579f3b15e962720f6741b27bf3fefda88cf00</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 25, 2020 at 9:08 AM Ben Wilson <<a href="mailto:bwilson@mozilla.com">bwilson@mozilla.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Here is the URL with immutable links.</div><div><a href="https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:f03fe22df70f4d4ff030c9b07467847dbf40baa8" target="_blank">https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:f03fe22df70f4d4ff030c9b07467847dbf40baa8</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 25, 2020 at 8:53 AM Ben Wilson <<a href="mailto:bwilson@mozilla.com" target="_blank">bwilson@mozilla.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Awesome, thanks! <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 25, 2020 at 8:37 AM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<br>
<br>
<div>On 2020-06-25 5:21 μ.μ., Ben Wilson
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thanks! But even with an immutable link, since it
is a pull in my repository, do I need to archive it somehow for
ballot history? Or does the immutable link take care of that?<br>
</div>
</blockquote>
<br>
The immutable link takes care of that. It's global (regardless of
your repo or other repos). It's unique to the entire GitHub system<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jun 25, 2020 at 4:23
AM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <br>
<br>
<div>On 2020-06-25 7:22 π.μ., Ben Wilson wrote:<br>
</div>
<blockquote type="cite">
<div dir="auto">I tried to follow it, to a certain extent,
but I wasn't sure how to create the immutable link. I
stopped short of creating a pull request to the CABF
master - it's a pull request to my own master.</div>
</blockquote>
<br>
To find the proper hashes, you look at the last commit from
each branch that you are trying to compare. It took me some
time to figure it out myself :)<br>
<br>
Dimitris.<br>
<br>
<br>
<blockquote type="cite"><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Jun 24, 2020,
10:19 PM Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr" target="_blank">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <br>
Hi Ben,<br>
<br>
Did you by any chance follow the process in <a href="https://wiki.cabforum.org/github_redline_guide" rel="noreferrer" target="_blank">https://wiki.cabforum.org/github_redline_guide</a>?
If you did, I'd like to know if you found it useful,
clear/difficult to follow and so on so we can
improve it.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div>On 2020-06-25 5:09 π.μ., Ben Wilson via Netsec
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Here is the pull request and redlines for
this ballot - <a href="https://github.com/BenWilson-Mozilla/documents/pull/3/files" rel="noreferrer" target="_blank">https://github.com/BenWilson-Mozilla/documents/pull/3/files</a></div>
<div><br>
</div>
<div>or here is another comparison link: <a href="https://github.com/cabforum/documents/compare/master...BenWilson-Mozilla:Zones-BR5.1" rel="noreferrer" target="_blank">https://github.com/cabforum/documents/compare/master...BenWilson-Mozilla:Zones-BR5.1
<br>
</a></div>
<div><br>
</div>
<div>I haven't added in dates or endorsers yet,
but here is the draft ballot: <a href="https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing" rel="noreferrer" target="_blank">https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing</a>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Jun 1,
2020 at 1:11 PM Ben Wilson <<a href="mailto:bwilson@mozilla.com" rel="noreferrer" target="_blank">bwilson@mozilla.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">This isn't aimed at the Offline
CA ballot - it deals with whether we define
"CA equipment". Sorry for the confusion.<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon,
Jun 1, 2020 at 1:05 PM Ponds-White,
Trevoli <<a href="mailto:trevolip@amazon.com" rel="noreferrer" target="_blank">trevolip@amazon.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Daymion
from GoDaddy right? We had cut the
scoping definitions out of a
previous ballot because it made it
too bloated with different topics
and I thought we decided those
should have their own ballot.</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">How
do these changes overlap with the
ballot that is clarifying offline
CA requirements?</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<div>
<div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
Netsec <<a href="mailto:netsec-bounces@cabforum.org" rel="noreferrer" target="_blank">netsec-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ben
Wilson via Netsec<br>
<b>Sent:</b> Monday, June 1,
2020 11:23<br>
<b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com" rel="noreferrer" target="_blank">Bruce.Morton@entrustdatacard.com</a>><br>
<b>Cc:</b> CABF Network
Security List <<a href="mailto:netsec@cabforum.org" rel="noreferrer" target="_blank">netsec@cabforum.org</a>><br>
<b>Subject:</b> RE: [EXTERNAL]
[cabf_netsec] [EXTERNAL]Re:
"Zones" Ballot Endorsers</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<table style="border-collapse:collapse" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr style="height:15.25pt">
<td style="width:842.35pt;border:1.5pt solid rgb(237,125,49);padding:0in 5.4pt;height:15.25pt" width="706" valign="top">
<p><strong><span style="background:rgb(255,255,153) none repeat scroll 0% 0%">CAUTION</span></strong><span style="background:rgb(255,255,153) none repeat scroll 0% 0%">: This
email originated from
outside of the
organization. Do not
click links or open
attachments unless you
can confirm the sender
and know the content is
safe.</span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<div>
<p class="MsoNormal">Also, in
working on this, I recalled
that Daymion when he was at
Google had requested that we
define the scope of the
requirements.</p>
</div>
<div>
<p class="MsoNormal">Excerpted
below:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p style="margin:0in 0in 0.0001pt" id="gmail-m_4528316920837369747gmail-m_-7638115468555515711gmail-m_1141074404665943295gmail-m_8074079934600400719m_-6475004316674773850gmail-m_8427525313439756147gmail-m_-825837030032188148gmail-m_2512273482120699101gmail-docs-internal-guid-ca080c0f-7fff-dd5f-ae47-e85026593b82"><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">Add
below section to the “Scope
and Applicability” to define
scope of PKI Trusted
Environment and to read as
follows:</span></p>
<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black"> </span></p>
<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">The
network security
requirements apply to all
system components included
in or connected to the
publicly trusted certificate
authority (CA) environment.
The CA environment is
comprised of people,
processes and technologies
that store, process, or
transmit CA data. “System
components” include network
devices, servers, hardware
security modules (HSM),
computing devices, and
applications residing within
the CA environment. Examples
of system components
include, but are not limited
to the following:</span></p>
<p class="MsoNormal"> </p>
<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">a.
Systems that provide
security services (for
example, authentication
servers), facilitate
segmentation (for example,
internal firewalls), or may
impact the security of (for
example, name resolution or
web redirection servers).</span></p>
<p class="MsoNormal"> </p>
<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">b.
Virtualization components
such as virtual machines,
virtual switches/routers,
virtual appliances, virtual
applications/desktops, and
hypervisors.</span></p>
<p class="MsoNormal"> </p>
<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">c.
Network components
including but not limited to
firewalls, switches,
routers, network appliances,
IPMI remote management
cards, HSM and other
security appliances.</span></p>
<p class="MsoNormal"> </p>
<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">d.
Server types including but
not limited to web,
application, database,
authentication, mail, proxy,
Network Time Protocol (NTP),
and Domain Name System
(DNS).</span></p>
<p class="MsoNormal"> </p>
<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">e.
Applications including all
purchased and custom
applications.</span></p>
<p class="MsoNormal"> </p>
<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:"Arial",sans-serif;color:black">f.
Any other component or
device located within the CA
environment.</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Thu, May
28, 2020 at 1:01 PM Ben Wilson
<<a href="mailto:bwilson@mozilla.com" rel="noreferrer" target="_blank">bwilson@mozilla.com</a>>
wrote:</p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">I'll work
on a re-draft, hopefully
this afternoon, and
re-circulate it.</p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Thu,
May 28, 2020 at 12:53 PM
Bruce Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com" rel="noreferrer" target="_blank">Bruce.Morton@entrustdatacard.com</a>>
wrote:</p>
</div>
<blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">I
would assume that if
we did not amend the
BRs, then it would
look like the security
requirements were
being reduced. So yes,
I think that the BRs
should be changed at
the same time.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Bruce.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><b>From:</b>
Ben Wilson <<a href="mailto:bwilson@mozilla.com" rel="noreferrer" target="_blank">bwilson@mozilla.com</a>>
<br>
<b>Sent:</b> Thursday,
May 28, 2020 2:45 PM<br>
<b>To:</b> Bruce
Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com" rel="noreferrer" target="_blank">Bruce.Morton@entrustdatacard.com</a>><br>
<b>Cc:</b> Neil Dunbar
<<a href="mailto:ndunbar@trustcorsystems.com" rel="noreferrer" target="_blank">ndunbar@trustcorsystems.com</a>>;
CABF Network Security
List <<a href="mailto:netsec@cabforum.org" rel="noreferrer" target="_blank">netsec@cabforum.org</a>><br>
<b>Subject:</b> Re:
[EXTERNAL]Re:
[cabf_netsec] "Zones"
Ballot Endorsers</p>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">I'm
open to discussion
on this. Would we
want to amend
section 5.1 of the
BRs with the same
ballot?</p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On
Thu, May 28, 2020
at 12:33 PM Bruce
Morton <<a href="mailto:Bruce.Morton@entrustdatacard.com" rel="noreferrer" target="_blank">Bruce.Morton@entrustdatacard.com</a>> wrote:</p>
</div>
<blockquote style="border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin:5pt 0in 5pt 4.8pt;border-color:currentcolor currentcolor currentcolor rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal">Hi
Ben,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks
for all the
work on this
ballot. I am
wondering if
we should try
to remove
physical
security and
physical
access
requirements
from the
NetSec
document.
Physical
Security
requirements
could be put
into BR 5.1 in
a section
called
Physical
Security
Controls. </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">For
instance, item
1.c. states
“Maintain Root
CA Systems in
a Physically
Secure
Environment
and in an
offline state
or air-gapped
from all other
networks.”
This could be
changed so
that 1.c.
states
“Maintain Root
CA Systems in
an offline
state or
air-gapped
from all other
networks” and
BR 5.1 could
state
“Maintain CA
Systems in a
physically
secure
environment.”</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">It
also seems
that now that
the old zone
definitions
have been
combined and
now Physically
Secure
Environment
now covers
both physical
and logical
environments.
If we
eliminate
physical
security, then
we could just
address
logical
security which
could be
better applied
to the NetSec
document.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">In
a future
ballot, we
might want to
push some of
the Trusted
Role
requirements
into BR 5.2.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks,
Bruce.</p>
<p class="MsoNormal"> </p>
<div>
<div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in;border-color:currentcolor">
<p class="MsoNormal"><b>From:</b>
Netsec <<a href="mailto:netsec-bounces@cabforum.org" rel="noreferrer" target="_blank">netsec-bounces@cabforum.org</a>> <b>On Behalf
Of </b>Neil
Dunbar via
Netsec<br>
<b>Sent:</b>
Tuesday, May
26, 2020 7:42
AM<br>
<b>To:</b> <a href="mailto:netsec@cabforum.org" rel="noreferrer" target="_blank">netsec@cabforum.org</a><br>
<b>Subject:</b>
[EXTERNAL]Re:
[cabf_netsec]
"Zones" Ballot
Endorsers</p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><strong><span style="font-family:"Calibri",sans-serif;color:red">WARNING:</span></strong>
This email
originated
outside of
Entrust
Datacard.<br>
<strong><span style="font-family:"Calibri",sans-serif;color:red">DO NOT
CLICK</span></strong>
links or
attachments
unless you
trust the
sender and
know the
content is
safe.</p>
<div class="MsoNormal" style="text-align:center" align="center">
<hr width="100%" size="2" align="center">
</div>
<p>I'm happy to
endorse, Ben.
Trev and David
also said they
would be good
to endorse the
ballot.</p>
<p>Neil</p>
<div>
<p class="MsoNormal">On
13/05/2020
20:58, Ben
Wilson via
Netsec wrote:</p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<div>
<p class="MsoNormal">I
can't remember
whether there
were people
who
volunteered to
be endorsers
of the "Zones"
ballot. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">See
below:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Ballot
and
Explanation -
<a href="https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing" rel="noreferrer" target="_blank">
https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing</a></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Redlined
version of
NCSSRs - <a href="https://drive.google.com/file/d/1n6LPNN0WJY9Cdw5qOl2-fFzQxBiZtw-q/view?usp=sharing" rel="noreferrer" target="_blank">
https://drive.google.com/file/d/1n6LPNN0WJY9Cdw5qOl2-fFzQxBiZtw-q/view?usp=sharing</a></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12pt"> </p>
<pre>_______________________________________________</pre>
<pre>Netsec mailing list</pre>
<pre><a href="mailto:Netsec@cabforum.org" rel="noreferrer" target="_blank">Netsec@cabforum.org</a></pre>
<pre><a href="http://cabforum.org/mailman/listinfo/netsec" rel="noreferrer" target="_blank">http://cabforum.org/mailman/listinfo/netsec</a></pre>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Netsec mailing list
<a href="mailto:Netsec@cabforum.org" rel="noreferrer" target="_blank">Netsec@cabforum.org</a>
<a href="https://lists.cabforum.org/mailman/listinfo/netsec" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/netsec</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div>
</blockquote></div>
</blockquote></div>