<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Cambria;
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        punctuation-wrap:simple;
        text-autospace:none;
        font-size:10.0pt;
        font-family:"Times New Roman","serif";}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
        {mso-style-priority:34;
        mso-style-type:export-only;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        punctuation-wrap:simple;
        text-autospace:none;
        font-size:10.0pt;
        font-family:"Times New Roman","serif";}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
        {mso-style-priority:34;
        mso-style-type:export-only;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        punctuation-wrap:simple;
        text-autospace:none;
        font-size:10.0pt;
        font-family:"Times New Roman","serif";}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
        {mso-style-priority:34;
        mso-style-type:export-only;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        punctuation-wrap:simple;
        text-autospace:none;
        font-size:10.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
p.Standard, li.Standard, div.Standard
        {mso-style-name:Standard;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:10.0pt;
        margin-left:0in;
        line-height:115%;
        punctuation-wrap:simple;
        text-autospace:none;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        color:black;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:153617303;
        mso-list-template-ids:-1823419146;}
@list l0:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:1.25in;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:1.75in;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.25in;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.75in;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:3.25in;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:3.75in;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:4.25in;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:4.75in;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:201947014;
        mso-list-template-ids:1063929860;}
@list l1:level1
        {mso-level-start-at:3;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.5in;}
@list l1:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:1.25in;
        text-indent:-9.0pt;}
@list l1:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:1.75in;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.25in;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:2.75in;
        text-indent:-9.0pt;}
@list l1:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:3.25in;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:3.75in;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:4.25in;
        text-indent:-9.0pt;}
@list l2
        {mso-list-id:905380475;
        mso-list-template-ids:-1823419146;}
@list l2:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.25in;}
@list l2:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:1.25in;
        text-indent:-.25in;}
@list l2:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:1.75in;
        text-indent:-9.0pt;}
@list l2:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.25in;
        text-indent:-.25in;}
@list l2:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.75in;
        text-indent:-.25in;}
@list l2:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:3.25in;
        text-indent:-9.0pt;}
@list l2:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:3.75in;
        text-indent:-.25in;}
@list l2:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:4.25in;
        text-indent:-.25in;}
@list l2:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:4.75in;
        text-indent:-9.0pt;}
@list l3
        {mso-list-id:1024281582;
        mso-list-template-ids:-1823419146;}
@list l3:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.25in;}
@list l3:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:1.25in;
        text-indent:-.25in;}
@list l3:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:1.75in;
        text-indent:-9.0pt;}
@list l3:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.25in;
        text-indent:-.25in;}
@list l3:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:2.75in;
        text-indent:-.25in;}
@list l3:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:3.25in;
        text-indent:-9.0pt;}
@list l3:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:3.75in;
        text-indent:-.25in;}
@list l3:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:4.25in;
        text-indent:-.25in;}
@list l3:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        margin-left:4.75in;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><span style='font-family:"Cambria","serif"'>All,<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><span style='font-family:"Cambria","serif"'>Ballot 76 to release the draft Security Requirements for public discussion and comment was approved today with a vote of 11 in favor, none opposed.  The quorum requirement was 8.   I propose that we post the following announcement to the Mozilla Dev Security Policy mailing list, on the CA/Browser Forum web site, and elsewhere as appropriate:<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><span style='font-family:"Cambria","serif"'>12 - June -2012  -- Today, the CA/Browser Forum released a draft “Network and Certificate System Security Requirements” for public review, comment, and discussion.  Comments may be submitted through Friday, 22 June 2012, to <a href="mailto:questions@cabforum.org">questions@cabforum.org</a></span><span style='font-family:"Cambria","serif";color:windowtext'>, </span><span style='font-family:"Cambria","serif"'>or on the Mozilla Dev-Security-Policy mailing list:  <a href="mailto:dev-security-policy@lists.mozilla.org">dev-security-policy@lists.mozilla.org</a>.  When commenting, please indicate the section and subsection, if any, to which your comment is directed and offer constructive alternative language to resolve your concern whenever possible. <o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><span style='font-family:"Cambria","serif"'>It is anticipated that this document, when adopted, will provide a base level of network and system security controls that all certification authorities shall observe when operating as trust anchors in publicly distributed browser software.  <o:p></o:p></span></p><p class=Standard align=center style='margin-bottom:12.0pt;text-align:center;line-height:normal'><b><span style='font-family:"Cambria","serif"'>NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS<o:p></o:p></span></b></p><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><b><span style='font-family:"Cambria","serif"'>Scope and Applicability:  </span></b><span style='font-family:"Cambria","serif"'>These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities (CAs) and are adopted with the intent that all such CAs and Delegated Third Parties be audited for conformity with these Requirements beginning [Date to be Determined] and that they be incorporated as mandatory requirements (if not already mandatory requirements) in WebTrust for Certification Authorities v. 2.0,  ETSI 101 456, ETSI TS 102 042, ISO 21188:2006, and subsequent versions, revisions, and implementations thereof, including the audit schemes that purport to determine conformity therewith.  The CA is responsible for all tasks performed by Delegated Third Parties and Trusted Roles.  The CA SHALL define, document, and disclose to its auditors (a) the tasks assigned to Delegated Third Parties or Trusted Roles, and (b) the arrangements made with Delegated Third parties to ensure compliance with these Requirements, and (c) the relevant practices implemented by Delegated Third Parties. <o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level1 lfo1'><![if !supportLists]><b><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>      </span></span></span></b><![endif]><b><span style='font-family:"Cambria","serif"'>GENERAL PROTECTIONS FOR THE NETWORK AND SUPPORTING SYSTEMS <o:p></o:p></span></b></p><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><span style='font-family:"Cambria","serif"'>Each CA or Delegated Third Party SHALL:</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>a.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Segment Certificate Systems into networks or zones based on their functional, logical, and physical (including location) relationship;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>b.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Apply the same security controls to all systems co-located in the same zone with a Certificate System;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>c.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>d.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Maintain and protect Issuing Systems, Certificate Management Systems, and Security Support Systems in at least a Secure Zone</span><span style='font-size:9.0pt;font-family:"Cambria","serif"'>;</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>e.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Implement</span><span style='font-family:"Cambria","serif"'> and configure Security Support Systems that protect systems and communications between systems inside Secure Zones and High Security Zones,  and communications with non-Certificate Systems outside those zones (including those with organizational business units that do not provide PKI-related services) and those on public networks</span><span style='font-size:9.0pt;font-family:"Cambria","serif"'>;</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-size:9.0pt;font-family:"Cambria","serif"'><span style='mso-list:Ignore'>f.<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Configure each network boundary control (firewall, switch, router, gateway, or other network control device or system) with rules that support only the services, protocols, ports, and communications that the CA has identified as necessary to its operations</span><span style='font-size:9.0pt;font-family:"Cambria","serif"'>;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>g.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Configure Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems by removing or disabling all accounts, applications, services, protocols, and ports that are not used in the CA’s or Delegated Third Party’s operations and allowing only those that are approved by the CA or Delegated Third Party</span><span style='font-size:9.0pt;font-family:"Cambria","serif"'>;</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>h.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Review changes to configurations of Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems on at least a weekly basis for compliance with the CA’s security policies</span><span style='font-size:9.0pt;font-family:"Cambria","serif"'>;</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>i.<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Grant administration access to Certificate Systems only to persons acting in Trusted Roles and require their accountability for the Certificate System’s security</span><span style='font-size:9.0pt;font-family:"Cambria","serif"'>;</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>j.<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Implement multi-factor  authentication to each Certificate System that supports multi-factor authentication (but see subsection 2.n.(ii) below)</span><span style='font-size:9.0pt;line-height:115%;font-family:"Cambria","serif"'>;</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>k.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Change authentication keys and passwords for privileged accounts and service accounts on Certificate Systems whenever a person’s authorization to administratively access the Certificate Systems is changed or revoked</span><span style='font-size:9.0pt;font-family:"Cambria","serif"'>;</span><span style='font-family:"Cambria","serif"'> and</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level2 lfo1'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>l.<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Apply recommended security patches to Certificate Systems within six months of the security patch’s availability, unless the CA documents that the security patch would introduce additional vulnerabilities or instabilities that outweigh the benefits of applying the security patch</span><span style='font-family:"Cambria","serif"'> </span><span style='font-size:9.0pt;font-family:"Cambria","serif"'>.</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level1 lfo1'><a name="_Ref319922730"><![if !supportLists]><b><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>      </span></span></span></b><![endif]><b><span style='font-family:"Cambria","serif"'>TRUSTED ROLES, DELEGATED THIRD PARTIES, AND SYSTEM ACCOUNTS</span></b></a><b><span style='font-family:"Cambria","serif"'> <o:p></o:p></span></b></p><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><span style='font-family:"Cambria","serif"'>Each CA or Delegated Third Party SHALL:<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>a.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Follow a documented procedure for appointing individuals to Trusted Roles and assigning responsibilities to them;<o:p></o:p></span></p><p class=Standard style='margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>b.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Document the responsibilities and tasks assigned to Trusted Roles and implement “separation of duties” for such Trusted Roles based on the security-related concerns of the functions to be performed;</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>c.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Ensure that only Trusted Roles have access to Secure Zones and High Security Zones;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>d.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Ensure that a Trusted Role only acts within the scope of such role when performing administrative tasks assigned to that role;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>e.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Require employees and contractors to observe the principle of “least privilege” when accessing, or when configuring access privileges on, Certificate Systems;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>f.<span style='font:7.0pt "Times New Roman"'>        </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Require that a Trusted Role use a unique credential created by or assigned to the Trusted Role to authenticate to Certificate Systems; <o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>g.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>If an authentication control used by a Trusted Role is a used username and password, then, where technically feasible, implement the following controls that require passwords:<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.25in;margin-bottom:.0001pt;text-indent:-1.25in;mso-text-indent-alt:-.25in;line-height:normal;mso-list:l2 level3 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'>                                             </span>i.<span style='font:7.0pt "Times New Roman"'>            </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Have at least twelve (12) characters; OR<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.25in;margin-bottom:.0001pt;text-indent:-1.25in;mso-text-indent-alt:-.25in;line-height:normal;mso-list:l2 level3 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'>                                           </span>ii.<span style='font:7.0pt "Times New Roman"'>            </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Have at least seven (7) characters, b</span><span style='font-family:"Cambria","serif"'>e changed at least every 90 days, use a combination of at least numeric and alphabetic characters, that are not a dictionary word or on a list of previously disclosed human-generated passwords; and not one of the user’s previous four passwords; OR<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.25in;margin-bottom:.0001pt;text-indent:-1.25in;mso-text-indent-alt:-.25in;line-height:normal;mso-list:l2 level3 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'>                                         </span>iii.<span style='font:7.0pt "Times New Roman"'>            </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Are created pursuant to a documented password management and account lockout policy that the CA has determined provide at least the same amount of protection against password guessing as either of the foregoing controls. <o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.75in;margin-bottom:.0001pt;line-height:normal'><span style='font-family:"Cambria","serif"'><o:p> </o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>h.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Require Trusted Roles to log out of or lock workstations when no longer in use;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>i.<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Configure workstations with inactivity time-outs that log the user off or lock the workstation after a set time of inactivity without input from the user  (the CA or Delegated Third Party MAY allow a workstation to remain active and unattended if the workstation is otherwise secured and running administrative tasks that would be interrupted by an inactivity time-out or system lock);<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>j.<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Review all system accounts at least quarterly and deactivate any accounts that are no longer necessary for operations; <o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>k.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Lockout account access to Certificate Systems after no more than five (5) failed access attempts, provided that this security measure is supported by the Certificate System and does not weaken the security of this authentication control;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>l.<span style='font:7.0pt "Times New Roman"'>         </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Implement a 24-hour process that disables an individual’s access to Certificate Systems  upon termination of the individual’s employment or contracting relationship with the CA or Delegated Third Party;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><a name="_Ref319922708"><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>m.<span style='font:7.0pt "Times New Roman"'>    </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Enforce multi-factor authentication for administrator access to Issuing Systems and Certificate Management Systems;<o:p></o:p></span></a></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>n.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>For each Delegated Third Party, (i) require multi-factor authentication prior to the Delegated Third Party approving issuance of a Certificate or (ii) implement technical controls that restrict the Delegated Third Party’s ability to approve certificate issuance to a limited set of domain names;</span><span style='font-family:"Cambria","serif"'>   <o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>o.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Restrict remote administration or access to an Issuing System, Certificate Management System, or Security Support System except when: (i) the remote connection originates from a device owned or controlled by the CA or Delegated Third Party and from a pre-approved external IP address, (ii) the remote connection is through a temporary, non-persistent encrypted channel that is  supported by multi-factor authentication, and (iii) the remote connections is made to a designated intermediary device (a) located within the CA’s network, (b) secured in accordance with these Requirements, and (c) that mediates the remote connection to the Issuing System; and<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l2 level2 lfo2'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>p.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Ensure that access to Certificate Systems in High Security Zones requires the action of multiple individuals performing their Trusted Roles<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l3 level1 lfo1'><a name=h.rckerqj076vm></a><a name=h.34yrezedruic></a><a name=h.30y9jn9enhzl></a><![if !supportLists]><b><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'>      </span></span></span></b><![endif]><b><span style='font-family:"Cambria","serif"'> LOGGING, MONITORING, & ALERTING <o:p></o:p></span></b></p><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><span style='font-family:"Cambria","serif"'>Certification Authorities and Delegated Third Parties </span><span style='font-family:"Cambria","serif"'>SHALL:<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>a.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Implement detection and prevention controls to protect Certificate Systems against viruses and malicious software</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>b.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Implement a Security Support System that will monitor, detect, and report any security-related configuration change to Certificate Systems;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>c.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Identify those Certificate Systems capable of monitoring and logging system activity and enable those systems to continuously monitor and log system activity;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>d.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Implement automated mechanisms to process logged system activity and alert personnel, using notices provided to multiple destinations, of possible Critical Security Events; <o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>e.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Require personnel to follow up on notices of possible Critical Security Events;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>f.<span style='font:7.0pt "Times New Roman"'>        </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Manually review application and system logs on at least a quarterly basis for anomalous activity </span><span style='font-family:"Cambria","serif"'>and review and validate logging processes to ensure the proper operation of monitoring, logging, alerting, and log-integrity-verification functions, and confirm audit log integrity </span><span style='font-family:"Cambria","serif"'>(the CA or Delegated Third Party MAY use an in-house or third-party audit log reduction and analysis tool); </span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>g.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Maintain, archive, and retain logs in accordance with disclosed business practices and applicable legislation; and<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>h.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Permit only authorized individuals to retrieve logs and only for business or security reasons.<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;text-indent:-.5in;line-height:normal;page-break-after:avoid;mso-list:l1 level1 lfo3'><![if !supportLists]><b><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'>                  </span></span></span></b><![endif]><b><span style='font-family:"Cambria","serif"'>VULNERABILITY DETECTION AND PATCH MANAGMENT<o:p></o:p></span></b></p><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><span style='font-family:"Cambria","serif"'>Certification Authorities and Delegated Third Parties </span><span style='font-family:"Cambria","serif"'>SHALL:<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>a.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Document and follow a vulnerability correction process that addresses the identification, review, response, and remediation of vulnerabilities;</span><span style='font-family:"Cambria","serif"'> <o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>b.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Undergo or perform a Vulnerability Scan (i) within one week of receiving a request from the CA/Browser Forum,  (ii) after any system or network changes that the CA determines are significant, and (iii) at least once per quarter, on public and private IP addresses identified by the CA or Delegated Third Party as the CA’s or Delegated Third Party’s Certificate Systems;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>c.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Undergo a Penetration Test on the CA’s and each Delegated Third Party’s Certificate Systems on at least an annual basis and   after infrastructure or application upgrades or modifications that the CA determines are significant;<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>d.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Record evidence that each Vulnerability Scan and Penetration Test was performed by a person or entity (or collective group thereof) with the skills, tools, proficiency, and independence necessary to provide a reliable Vulnerability Scan or Penetration Test; and<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.75in;text-indent:-.25in;line-height:normal;mso-list:l1 level2 lfo3'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'>e.<span style='font:7.0pt "Times New Roman"'>       </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Do one of the following within 96 hours of discovery of a Critical Vulnerability not previously addressed by the CA’s vulnerability correction process:</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.25in;text-indent:-1.25in;mso-text-indent-alt:-.25in;line-height:normal;mso-list:l0 level3 lfo4'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'>                                             </span>i.<span style='font:7.0pt "Times New Roman"'>            </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Remediate the Critical Vulnerability;</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.25in;text-indent:-1.25in;mso-text-indent-alt:-.25in;line-height:normal;mso-list:l0 level3 lfo4'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'>                                           </span>ii.<span style='font:7.0pt "Times New Roman"'>            </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>If remediation of the Critical Vulnerability within 96 hours is not possible, create and implement a plan to mitigate the Critical Vulnerability, giving priority to (1) vulnerabilities with high CVSS scores, starting with the vulnerabilities the CA determines are the most critical  (such as those with a CVSS score of 10.0) and (2) systems that lack sufficient compensating controls that, if the vulnerability were left unmitigated, would allow external system control, </span><span style='font-family:"Cambria","serif"'>code execution, privilege escalation, or system compromise;  or<o:p></o:p></span></p><p class=Standard style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.25in;text-indent:-1.25in;mso-text-indent-alt:-.25in;line-height:normal;mso-list:l0 level3 lfo4'><![if !supportLists]><span style='font-family:"Cambria","serif"'><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'>                                         </span>iii.<span style='font:7.0pt "Times New Roman"'>            </span></span></span><![endif]><span style='font-family:"Cambria","serif"'>Document the factual basis for the CA’s determination that the vulnerability does not require remediation because (a) the CA disagrees with the NVD rating, (b) the identification is a false positive, (c) the exploit of the vulnerability is prevented by compensating controls or an absence of threats; or (d) other similar reasons.<o:p></o:p></span></p><p class=Standard align=center style='margin-bottom:12.0pt;text-align:center;line-height:normal;page-break-before:always'><b><span style='font-family:"Cambria","serif"'>DEFINITIONS<o:p></o:p></span></b></p><p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;line-height:115%'><b><span style='font-size:11.0pt;line-height:115%;font-family:"Cambria","serif";color:black'>Certificate Management System:  </span></b><span style='font-size:11.0pt;line-height:115%;font-family:"Cambria","serif";color:black'> A system used by a CA or Delegated Third Party to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage.<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Certificate Systems:  </span></b><span style='font-family:"Cambria","serif"'>The system used by a CA or Delegated Third Party in providing identity verification, registration and enrollment, certificate approval, issuance, validity status, support, and other PKI-related services. <o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Common Vulnerability Scoring System (CVSS)</span></b><span style='font-family:"Cambria","serif"'>:  A quantitative model used to measure the base level severity of a vulnerability.<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Critical Security Event:</span></b><span style='font-family:"Cambria","serif"'>  Detection of an event, a set of circumstances, or anomalous activity that could lead to a circumvention of a Zone’s security controls or a compromise of a Certificate System’s integrity, including excessive login attempts, attempts to access prohibited resources, DoS/DDoS attacks, hacker reconnaissance, excessive traffic at unusual hours, signs of unauthorized access, system intrusion, or an actual compromise of component integrity.<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Critical Vulnerability:</span></b><span style='font-family:"Cambria","serif"'>  A system vulnerability that has a CVSS score of 7.0 or higher according to the NVD or an equivalent to such CVSS rating, or as otherwise designated as a Critical Vulnerability  by the CA or the CA/Browser Forum.</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Delegated Third Party:   </span></b><span style='font-family:"Cambria","serif"'>As defined<i> </i>in the Baseline Requirements.</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Delegated Third Party System: </span></b><span style='font-family:"Cambria","serif"'>Any part of a Certificate System used by a Delegated Third Party while performing the functions delegated to it by the CA.<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Front End / Infrastructure Support System:  </span></b><span style='font-family:"Cambria","serif"'>A system with a public IP address, including a web server, mail server, DNS server, jump host, or authentication server.<b>  </b></span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>High Security Zone:  </span></b><span style='font-family:"Cambria","serif"'>An area where a CA’s or Delegated Third Party’s Private Key or cryptographic hardware is located.</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Issuing System:  </span></b><span style='font-family:"Cambria","serif"'>A<b> </b></span><span style='font-family:"Cambria","serif"'>system used to sign certificates or validity status information. <o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>National Vulnerability Database (NVD): </span></b><span style='font-family:"Cambria","serif"'>  A database that includes the Common Vulnerability Scoring System (CVSS) scores of security-related software flaws, misconfigurations, and vulnerabilities associated with systems.<b> <o:p></o:p></b></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>OWASP Top Ten:</span></b><span style='font-family:"Cambria","serif"'>  A list of application vulnerabilities published by the Open Web Application Security Project.<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Penetration Test:</span></b><span style='font-family:"Cambria","serif"'>   A process that identifies and attempts to exploit openings and vulnerabilities on systems through the active use of known hacker techniques, including the combination of different types of exploits, with a goal of breaking through layers of defenses and reporting on unpatched vulnerabilities and system weaknesses. <o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Root CA System:</span></b><span style='font-family:"Cambria","serif"'>  A system used to create a Root Certificate or to generate, store, or sign with the Private Key associated with a Root Certificate.<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>SANS Top 25:</span></b><span style='font-family:"Cambria","serif"'>  A list created with input from the SANS Institute and the Common Weakness Enumeration (CWE) that identifies the Top 25 Most Dangerous Software Errors that lead to exploitable vulnerabilities.</span><b><span style='font-family:"Cambria","serif"'><o:p></o:p></span></b></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Secure Zone:</span></b><span style='font-family:"Cambria","serif"'>  An area (physical or logical) containing an Issuing System, Certificate Management System, and Security Support System (and the physical location of Front-End / Internal-Support Systems). <o:p></o:p></span></p><p class=MsoListParagraphCxSpFirst style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;line-height:115%'><b><span style='font-size:11.0pt;line-height:115%;font-family:"Cambria","serif";color:black'>Security Support System:</span></b><span style='font-size:11.0pt;line-height:115%;font-family:"Cambria","serif";color:black'>   A system used to provide security support functions, such as authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and <a name="_GoBack"></a>anti-virus.<o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;line-height:115%'><span style='font-size:11.0pt;line-height:115%;font-family:"Cambria","serif";color:black'><o:p> </o:p></span></p><p class=MsoListParagraphCxSpLast style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;line-height:115%'><b><span style='font-size:11.0pt;line-height:115%;font-family:"Cambria","serif";color:black'>System:</span></b><span style='font-size:11.0pt;line-height:115%;font-family:"Cambria","serif";color:black'>  One or more pieces of equipment or software that stores, transforms, or communicates data. </span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Trusted Role:</span></b><span style='font-family:"Cambria","serif"'>  An employee or contractor of a CA or Delegated Third Party who has authorized access to or control over a Secure Zone or High Security Zone.<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Vulnerability Scan:</span></b><span style='font-family:"Cambria","serif"'>  A process that uses manual or automated tools to probe internal and external systems to check and report on the status of operating systems, services, and devices exposed to the network and the presence of vulnerabilities listed in the NVD, OWASP Top Ten, or SANS Top 25. <o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt'><b><span style='font-family:"Cambria","serif"'>Zone:</span></b><span style='font-family:"Cambria","serif"'>  A subset of Certificate Systems created by the logical or physical partitioning of systems from other Certificate Systems.</span><b><span style='font-family:"Cambria","serif"'><o:p></o:p></span></b></p><p class=Standard style='margin-bottom:12.0pt'><span style='font-family:"Cambria","serif"'><o:p> </o:p></span></p><p class=MsoNormal align=right style='text-align:right'><span style='font-family:"Times New Roman","serif"'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:9.0pt;font-family:"Arial","sans-serif";color:black'>Benjamin T. Wilson, JD CISSP <br>General Counsel and SVP Industry Relations<br>DigiCert, Inc.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="http://www.digicert.com/"><span style='font-size:12.0pt;font-family:"Times New Roman","serif";color:blue;text-decoration:none'><img border=0 width=224 height=58 id="Picture_x0020_1" src="cid:image001.gif@01CD48BC.F4A57CB0" alt="Visit DigiCert.com"></span></a><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:8.5pt;font-family:"Arial","sans-serif";color:#666666'>Online: <a href="http://www.digicert.com/" target="_blank"><span style='color:blue'>www.DigiCert.com</span></a><br>Email: <a href="mailto:ben@digicert.com"><span style='color:blue'>ben@digicert.com</span></a><br>Toll Free: <b>1-800-896-7973</b> (US & Canada)<br>Direct: <b>1-801-701-9678</b><br>Fax: <b>1-866-842-0223</b> (Toll Free if calling from the US or Canada) <o:p></o:p></span></p><div class=MsoNormal align=center style='text-align:center'><hr size=1 width="100%" noshade style='color:#007DC0' align=center></div><p class=MsoNormal><span style='font-size:7.0pt;font-family:"Arial","sans-serif";color:#007DC0'>The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Thank You</span><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>