<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hello Ben,<div class="">In principle I would say that extending the concept of lack of connectivity to “Electrical Connections” would impose a big challenge, because even if the systems are normally powered off and electrical cables are disconnected, at the moment of powering up the systems (i.e. for a ceremony) we’d be breaching that requirement.</div><div class="">BR/P <br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 15 Oct 2022, at 05:39, Ben Wilson via Netsec <<a href="mailto:netsec@cabforum.org" class="">netsec@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div class="">
<div dir="ltr" class="">
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">All,</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""><br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">Both <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__csrc.nist.gov_glossary_term_air-5Fgap&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=LmvNtrygpWXbKZ3KY7uXI6Qz7YaICZdsR9VOMM9tOUo&s=05O03TdRvsnIHsm0s4tXXiC6o8fWB9-q1mnU1gzxe0k&e=" class="">
https://csrc.nist.gov/glossary/term/air_gap</a> and <span style="line-height:107%" class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_rfc_rfc4949&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=LmvNtrygpWXbKZ3KY7uXI6Qz7YaICZdsR9VOMM9tOUo&s=AISpylDx7SDnLQ0TQ0PzCB8PL8aPhNArmjJzOoZyUsY&e=" style="color:rgb(5,99,193);text-decoration:underline" class="">https://www.rfc-editor.org/rfc/rfc4949</a>
<span class="">define "air gap" as "</span></span>An interface between two systems at which (a) they are not<span class="">
</span>connected physically and (b) any logical connection is not<span class=""> </span>automated (i.e., data is transferred through the interface only<span class=""></span><span style="line-height:107%" class=""><span class="">
</span>manually, under human control).</span>" <br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""><br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">But this definition seems antiquated and not entirely clear. For instance, it doesn't address wireless connections, only physical connections. Also, I believe that use of the word "interface" and
other language in that definition have the potential to cause confusion. <br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""><br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">RFC 4949 does clarify the definition with a parenthetical and an example:</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""><br class="">
</span></font></div>
<div style="margin-left:40px" class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">(See: sneaker net. Compare:<span class="">
</span>gateway.) <br class="">
</span></font></div>
<div style="margin-left:40px" class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""><br class="">
</span></font></div>
<div style="margin-left:40px" class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">Example: Computer A and computer B are on opposite sides of a<span class="">
</span>room. To move data from A to B, a person carries a disk across the<span class=""> </span>
room. If A and B operate in different security domains, then<span class=""> </span>moving data across the air gap may involve an upgrade or downgrade<span class="">
</span>operation.<span class=""></span></span></font><br class="">
</div>
<div style="margin-left:40px" class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""></span></font></div>
<div class=""><br class="">
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""></span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">One<font size="2" class=""><span style="font-family:arial,sans-serif" class=""> potential definition of "air-gapped"</span></font> (Alternative A) could be "<span style="line-height:107%" class="">separation between two devices
or networks because they lack an electrical or wireless connection, which prevents them from communicating except by some external, manual, human interaction (e.g. computer A and computer B are on opposite sides of a room, and to move data from A to B, a person
must carry a transfer device across the room)."</span></span></font></div>
<div class=""><font size="2" class=""><span style="font-size:11pt;line-height:107%;font-family:"Calibri",sans-serif" class=""><br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-size:11pt;line-height:107%;font-family:"Calibri",sans-serif" class="">Alternative B could be:</span></font><span style="font-size:10pt;line-height:107%;font-family:"Arial",sans-serif" class=""> "the absence of connections (electrical, wireless,
or any other networking) that prevents a system from communicating with another system and requires human intervention and a transfer device for data to move between the two systems."</span></div>
<div class=""><span style="font-size:10pt;line-height:107%;font-family:"Arial",sans-serif" class=""><br class="">
</span></div>
<div class=""><span style="font-size:10pt;line-height:107%;font-family:"Arial",sans-serif" class="">Alternative C would be to define "Air Gap", as above in
<span style="font-size:10pt;line-height:107%;font-family:"Arial",sans-serif" class="">the CSRC/RFC definition,</span> and add the words "or wirelessly", so that it would read "<font size="2" class=""><span style="font-family:arial,sans-serif" class="">An interface between two systems
at which (a) they are not<span class=""> </span>connected physically <u class="">or wirelessly</u> and (b) any logical connection is not<span class="">
</span>automated (i.e., data is transferred through the interface only<span class=""></span><span style="line-height:107%" class=""><span class="">
</span>manually, under human control).</span>" <br class="">
</span></font></span></div>
<div class=""><span style="font-size:10pt;line-height:107%;font-family:"Arial",sans-serif" class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""><br class="">
</span></font></span></div>
<div class="">
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">Also, I'll raise it here, for completeness, but I'm thinking we do not want to enlarge the scope of "air-gapped" to allow cryptographic, tunneled connections. I'm inclined to keep our definition
simple (and hence hopefully more secure), but if anyone has other suggestions, please feel free to chime in.</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""><br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">Please provide Alternatives D to Z.<br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""><br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">Finally, while I'm thinking about it, in the NCSSRs, do we want to consider "powered off and locked in a safe" separately from "air gapped" - it seems there might be a different risk profile?<br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""><br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">Thanks in advance,</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class=""><br class="">
</span></font></div>
<div class=""><font size="2" class=""><span style="font-family:arial,sans-serif" class="">Ben<br class="">
</span></font></div>
<font size="2" class=""></font></div>
<div class=""><font size="2" class=""><br class="">
</font></div>
<div class=""><font size="2" class=""><br class="">
</font></div>
<div class=""><font size="2" class=""><br class="">
</font></div>
</div>
</div>
</div>
_______________________________________________<br class="">Netsec mailing list<br class=""><a href="mailto:Netsec@cabforum.org" class="">Netsec@cabforum.org</a><br class="">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_netsec&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=LmvNtrygpWXbKZ3KY7uXI6Qz7YaICZdsR9VOMM9tOUo&s=MIKlQspu8CuNGjk6ZI-0bwJ1_JcZZSl4qT4xxyH0c3A&e=<br class=""></div></blockquote></div><br class=""><div class="">
<meta charset="UTF-8" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="text-align: start; text-indent: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><font class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; line-height: normal; text-align: start; text-indent: 0px;"><b class=""><font color="#f62400" class="" style="font-size: 11px;"><br class="Apple-interchange-newline">WISeKey SA<br class=""></font></b></font><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font class="" style="color: rgb(0, 0, 0); font-size: 12px; font-weight: normal; font-style: normal;"><span class="" style="font-size: 11px;"><b class="">Pedro Fuentes<br class=""></b>CSO - Trust Services Manager</span><br class=""><font size="1" class="">Office: + 41 (0) 22 594 30 00<br class="">Mobile: + 41 (0) </font></font><span style="color: rgb(0, 0, 0); font-size: x-small; font-weight: normal; font-style: normal;" class="">791 274 790</span></div><div class="" style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px;"><font size="1" class="">Address: </font></font><font size="1" class="">Avenue Louis-Casaï 58 | </font><span style="font-size: x-small;" class="">1216 Cointrin | Switzerland</span></div><div class="" style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; text-align: start; text-indent: 0px;"><font class=""><font size="1" class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px;"><b class="">Stay connected with <a href="http://www.wisekey.com" class=""><font color="#f62400" class="">WISeKey</font></a><br class=""></b></font></font><span class="" style="caret-color: rgb(0, 0, 0); color: rgb(169, 169, 169); font-size: 10px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; orphans: 2; widows: 2;"><br class=""></span></div><div class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; -webkit-text-stroke-width: 0px; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; line-height: normal; text-align: start; text-indent: 0px;"><div class="" style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><span class="" style="orphans: 2; widows: 2;"><font size="1" color="#78a600" class=""><b class="">THIS IS A TRUSTED MAIL</b>: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks</font></span></div><div class="" style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><span class="" style="orphans: 2; widows: 2; font-size: 9px;"><font color="#a9a9a9" class=""><br class=""></font></span></div><div class="" style="font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal;"><div class="" style="orphans: 2; widows: 2;"><font color="#a9a9a9" class="" style="font-size: 9px;"><b class="">CONFIDENTIALITY: </b>This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender</font></div><div class="" style="orphans: 2; widows: 2;"><font color="#a9a9a9" class="" style="font-size: 9px;"><br class=""></font></div><div class="" style="orphans: 2; widows: 2;"><font color="#a9a9a9" class="" style="font-size: 9px;"><b class="">DISCLAIMER: </b>WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.</font></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<br class=""></div></body></html>