<div dir="ltr"><div>Thanks, Pavan,</div><div><br></div><div>Here is another draft:</div><div><br></div><div>Replace 1.c. with "
<span class="gmail-blob-code-inner gmail-blob-code-marker">Maintain Root CA Systems in a High Security Zone and <span class="gmail-x gmail-x-first gmail-x-last">as Air-Gapped CA Systems, in accordance with Section 5;</span></span>"</div><div><br></div><div>Add definition of "Air-Gapped CA System" as "
<span class="gmail-blob-code-inner gmail-blob-code-marker">A system that is kept offline or otherwise air-gapped and separated from other systems used by a CA or Delegated Third Party in storing and managing CA private keys and performing signing and logging operations.</span>"</div><div><br></div><div>Add a new Section 5 - <br></div><div><br></div><div>
<h1>5. GENERAL PROTECTIONS FOR AIR-GAPPED CA SYSTEMS</h1>
<p>This Section 5 separates requirements for Air-Gapped CA Systems into two categories--logical security and physical security.</p>
<p><strong>Logical Security of Air-Gapped CA Systems</strong></p>
<p>Certification Authorities and Delegated Third Parties SHALL implement
the following controls to ensure the logical security of Air-Gapped CA
Systems:</p>
<p>a. Review static configurations of Air-Gapped CA Systems at least on
an annual basis to determine whether any changes violated the CA’s
security policies;</p>
<p>b. Follow a documented procedure for appointing individuals to Trusted Roles on Air-Gapped CA Systems;</p>
<p>c. Grant logical access to Air-Gapped CA Systems only to persons
acting in Trusted Roles and require their accountability for the
Air-Gapped CA System's security;</p>
<p>d. Document the responsibilities and tasks assigned to Trusted Roles
and implement "separation of duties" for such Trusted Roles based on the
security-related concerns of the functions to be performed;</p>
<p>e. Ensure that an individual in a Trusted Role acts only within the
scope of such role when performing administrative tasks assigned to that
role;</p>
<p>f. Require employees and contractors to observe the principle of
"least privilege" when accessing, or when configuring access privileges
on, Air-Gapped CA Systems;</p>
<p>g. Require that all access to systems and offline key material can be
traced back to an individual in a Trusted Role (through a combination
of recordkeeping, use of logical and physical credentials,
authentication factors, video recording, etc.);</p>
<p>h. If an authentication control used by a Trusted Role is a username
and password, then, where technically feasible require that passwords
have at least twelve (12) characters;</p>
<p>i. Review logical access control lists at least annually and
deactivate any accounts that are no longer necessary for operations;</p>
<p>j. Enforce Multi-Factor Authentication OR multi-party authentication for administrator access to Air-Gapped CA Systems;</p>
<p>k. Identify those Air-Gapped CA Systems capable of monitoring and
logging system activity and enable those systems to continuously monitor
and log system activity. Back up logs to an external system each time
the system is used or on a quarterly basis, whichever is less frequent;</p>
<p>l. On a quarterly basis or each time the Air-Gapped CA System is
used, whichever is less frequent, check the integrity of the logical
access logging processes and ensure that logging and log-integrity
functions are effective;</p>
<p>m. On a quarterly basis or each time the Air-Gapped CA System is
used, whichever is less frequent, monitor the archival and retention of
logical access logs to ensure that logs are retained for the appropriate
amount of time in accordance with the disclosed business practices and
applicable legislation.</p>
<p>n. Reserved for future use</p>
<p>o. Reserved for future use</p>
<p><strong>Physical Security of Air-Gapped CA Systems</strong></p>
<p>Certification Authorities and Delegated Third Parties SHALL implement
the following controls to ensure the physical security of Air-Gapped CA
Systems:</p>
<p>p. Grant physical access to Air-Gapped CA Systems only to persons
acting in Trusted Roles and require their accountability for the
Air-Gapped CA System’s security;</p>
<p>q. Ensure that only personnel assigned to Trusted Roles have physical
access to Air-Gapped CA Systems and multi-person access controls are
enforced at all times;</p>
<p>r. Implement a process that removes physical access of an individual
to all Air-Gapped CA Systems within twenty four (24) hours upon
termination of the individual’s employment or contracting relationship
with the CA or Delegated Third Party;</p>
<p>s. Implement video monitoring, intrusion detection, and prevention
controls to protect Air-Gapped CA Systems against unauthorized physical
access attempts;</p>
<p>t. Implement a Security Support System that monitors, detects, and
reports any security-related configuration change to the physical access
to Air-Gapped CA Systems;</p>
<p>u. Review all system accounts on physical access control lists at
least every three (3) months and deactivate any accounts that are no
longer necessary for operations;</p>
<p>v. On a quarterly basis or each time the Air-Gapped CA System is
used, whichever is less frequent, monitor the archival and retention of
the physical access logs to ensure that logs are retained for the
appropriate amount of time in accordance with the disclosed business
practices and applicable legislation.</p>
<p>w. On a quarterly basis or each time the Air-Gapped CA System is
used, whichever is less frequent, check the integrity of the physical
access logging processes and ensure that logging and log-integrity
functions are effective.</p>
</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 29, 2020 at 2:47 PM Chander, Pavan <<a href="mailto:pchander@deloitte.ca">pchander@deloitte.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_7012709466936826059WordSection1">
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Verdana",sans-serif;color:rgb(31,73,125)">Hi Ben,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Verdana",sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Verdana",sans-serif;color:rgb(31,73,125)">I notice there aren’t any changes to 1.c in your diff. Just wanted to check if that was a purposeful omission?
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Verdana",sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Verdana",sans-serif;color:rgb(31,73,125)">Now that your proposed wording defines Offline CA Systems as air-gapped, perhaps requirement 1.c about Root CAs being in either “offline state OR air-gapped” should
be updated to either say “offline AND air-gapped” or something similar to “Maintain Root CA Systems in a High Security Zone as an Offline CA System”?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Verdana",sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Verdana",sans-serif;color:rgb(31,73,125)">Pavan<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9pt;font-family:"Verdana",sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in">
<p class="MsoNormal"><b>From:</b> Netsec <<a href="mailto:netsec-bounces@cabforum.org" target="_blank">netsec-bounces@cabforum.org</a>> <b>On Behalf Of
</b>Ben Wilson via Netsec<br>
<b>Sent:</b> Monday, June 29, 2020 12:14 PM<br>
<b>To:</b> CABF Network Security List <<a href="mailto:netsec@cabforum.org" target="_blank">netsec@cabforum.org</a>><br>
<b>Subject:</b> [EXT] [cabf_netsec] SCXX: Offline CA Security Requirements<u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">The Document Structure subgroup (Tim Crawford, David Kluge, and myself) met this morning and finalized the following ballot. We need a proposer and two endorsers:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:8pt;line-height:105%"><a href="https://secure-web.cisco.com/1xWwZd_cmeFl6Wo_6UnD9yndY-91SE2BLQMB66tkJxNbdveawFdMG_dr9LWTsW1fgDVwMiS_8LaIZXgfaqYETPEu3j6PnWGrwkWsRkIdgj_DM8YJ33XziwfwlLH3MN_Br9VDqnSD2GutwLZekzB4gEPisbmmUVHAwtA4Kvz6jBiEIvXdHsXVoS3l9ZfaQtby1FcOt1Qkl8fbZdZ5MXCLpoOCE7GzJElyWhF_c7_8uV6wR8UlGN7lpl93ubChysPb6etjUMF2ikThUPLxT7kHOs6JJPMjRhdOHt_zQJMVvnykLz5JPDe2bdo94McAJQ5hclWG7d10oiAtnM4y79R1r8w/https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla%3A99ea75f4ad19c58a7f9eb2829e63fb1678a838fa" target="_blank">https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:<span class="gmail-m_7012709466936826059gmail-sha">99ea75f4ad19c58a7f9eb2829e63fb1678a838fa</span></a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Ben<u></u><u></u></p>
</div>
</div>
</div>
<p><em>Confidentiality Warning:</em></p>
<p><em>Deloitte refers to a Deloitte member firm, one of its related entities, or Deloitte Touche Tohmatsu Limited (“DTTL”). Each Deloitte member firm is a separate legal entity and a member of DTTL. DTTL does not provide services to clients. Please see </em><a href="http://www.deloitte.com/about" rel="noopener" target="_blank">www.deloitte.com/about</a><em> to
learn more.</em></p>
<p><em>This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy,
copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. Thank
You.</em></p>
<p><em>If you do not wish to receive future commercial electronic messages from Deloitte, forward this email to </em><a href="mailto:unsubscribe@deloitte.ca" target="_blank">unsubscribe@deloitte.ca</a></p>
<p><em>Avertissement de confidentialité:</em></p>
<p><em>Deloitte désigne un cabinet membre de Deloitte, une de ses entités liées ou Deloitte Touche Tohmatsu Limited (DTTL). Chaque cabinet membre de Deloitte constitue une entité juridique distincte et est membre de DTTL. DTTL n’offre aucun service aux clients.
Pour en apprendre davantage, voir </em><a href="http://www.deloitte.com/ca/apropos" rel="noopener" target="_blank">www.deloitte.com/ca/apropos</a><em>.</em></p>
<p><em>Ce message, ainsi que toutes ses pièces jointes, est destiné exclusivement au(x) destinataire(s) prévu(s), est confidentiel et peut contenir des renseignements privilégiés. Si vous n’êtes pas le destinataire prévu de ce message, nous vous avisons par
la présente que la modification, la retransmission, la conversion en format papier, la reproduction, la diffusion ou toute autre utilisation de ce message et de ses pièces jointes sont strictement interdites. Si vous n’êtes pas le destinataire prévu, veuillez
en aviser immédiatement l’expéditeur en répondant à ce courriel et supprimez ce message et toutes ses pièces jointes de votre système. Merci.</em></p>
<p><em>Si vous ne voulez pas recevoir d’autres messages électroniques commerciaux de Deloitte à l’avenir, veuillez envoyer ce courriel à l’adresse </em><a href="mailto:unsubscribe@deloitte.ca" target="_blank">unsubscribe@deloitte.ca</a></p>
</div>
</blockquote></div>