<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Bradley Hand ITC";
panose-1:3 7 4 2 5 3 2 3 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.Standard, li.Standard, div.Standard
{mso-style-name:Standard;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:0in;
line-height:115%;
punctuation-wrap:simple;
text-autospace:none;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Entrust would favor the change recommended below.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Rick Andrews<br>
<b>Sent:</b> Thursday, July 26, 2012 12:10 PM<br>
<b>To:</b> public@cabforum.org<br>
<b>Subject:</b> [cabfpub] FW: Question on Ballot 83 - Network and Certificate System Security Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">Sending to a broader audience.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">Ben, please consider this amendment to your motion.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">-Rick<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Rick Andrews
<br>
<b>Sent:</b> Tuesday, July 24, 2012 2:30 PM<br>
<b>To:</b> 'chris_bailey@trendmicro.com'; Dean Coclin<br>
<b>Cc:</b> <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>;
<a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>; <a href="mailto:tim.moses@entrust.com">
tim.moses@entrust.com</a><br>
<b>Subject:</b> RE: Question on Ballot 83 - Network and Certificate System Security Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">Chris,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">I believe the document imposes password restrictions only on user accounts, not hardware like smart cards. But I think we’re fine delaying the vote to give more people a chance to look more deeply
at this (I think few people commented on it before Ben sent it out for balloting).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">For the air-gap sentence, I propose changing<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">“</span><span lang="EN-IE" style="font-family:"Cambria","serif"">Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks;</span><span lang="EN-IE" style="color:#1F497D">”<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">To<o:p></o:p></span></p>
<p class="Standard" style="margin-bottom:12.0pt;line-height:normal"><span style="color:#1F497D">“</span><span style="font-family:"Cambria","serif"">Maintain Root CA Systems in a High Security Zone; to the greatest extent possible, keep Root CA Systems in an
offline state or air-gapped from all other networks. Minimize the number of legacy Root CA Systems (created before the Effective Date) that must be kept online, and if possible restrict them to CRL signing only.</span><span style="color:#1F497D">”</span><span style="font-family:"Cambria","serif""><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">What do you think of that change?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">-Rick<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:chris_bailey@trendmicro.com">chris_bailey@trendmicro.com</a> <a href="mailto:[mailto:chris_bailey@trendmicro.com]">
[mailto:chris_bailey@trendmicro.com]</a> <br>
<b>Sent:</b> Tuesday, July 24, 2012 1:15 PM<br>
<b>To:</b> Dean Coclin<br>
<b>Cc:</b> <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>; Rick Andrews;
<a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>; <a href="mailto:tim.moses@entrust.com">
tim.moses@entrust.com</a><br>
<b>Subject:</b> Re: Question on Ballot 83 - Network and Certificate System Security Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-IE">Dean,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-IE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE">I <span class="apple-style-span">agree. Additionally, there are other issues that are in this ballot that I would consider "recommended when practical". For example, there are certain smart cards that only allow a limited
set of characters for the password. If these smart cards are used for offline backups, do these backups need to be refreshed every 3 months? I am sure there are other things in here as well, so I would like some more time to measure the impact to our own infrastructure
and to make sure that it is not going to be an issue for other CAs as well if this ballot will be required.</span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-IE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-IE">So, we can either propose a delay in the vote and then offer to change the language or simply vote no to the ballot.</span></span><span lang="EN-IE"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-IE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span class="apple-style-span"><span lang="EN-IE">Any thought?</span></span><span lang="EN-IE"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE">Chris<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE"><br>
Sent from my iPad<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-IE"><br>
On Jul 24, 2012, at 12:17 PM, "Dean Coclin" <<a href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">I’ll amend what I said a bit: there are some “legacy” systems that may have issued off the root in the past and will be required to issue CRLs going forward off the root. So I think these reqts should
specify some sort of date so that legacy systems should be covered.</span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"><br>
Dean</span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"> </span><span lang="EN-IE"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="EN-IE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-IE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Dean Coclin
<br>
<b>Sent:</b> Monday, July 23, 2012 2:29 PM<br>
<b>To:</b> '<a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>'; Rick Andrews<br>
<b>Cc:</b> <a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>; <a href="mailto:tim.moses@entrust.com">
tim.moses@entrust.com</a>; <a href="mailto:chris_bailey@trendmicro.com">chris_bailey@trendmicro.com</a><br>
<b>Subject:</b> RE: Question on Ballot 83 - Network and Certificate System Security Requirements</span><span lang="EN-IE"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-IE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">It’s always good security practice to keep the roots offline. This is pretty standard in most PKIs as well as in the Federal CP. We are in support of this requirement.</span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"> </span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">Dean</span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"> </span><span lang="EN-IE"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="EN-IE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-IE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> <a href="mailto:[mailto:kirk_hall@trendmicro.com]">
[mailto:kirk_hall@trendmicro.com]</a> <br>
<b>Sent:</b> Monday, July 23, 2012 2:20 PM<br>
<b>To:</b> Dean Coclin; Rick Andrews<br>
<b>Cc:</b> <a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>; <a href="mailto:tim.moses@entrust.com">
tim.moses@entrust.com</a>; <a href="mailto:chris_bailey@trendmicro.com">chris_bailey@trendmicro.com</a><br>
<b>Subject:</b> FW: Question on Ballot 83 - Network and Certificate System Security Requirements</span><span lang="EN-IE"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-IE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D">Resending with the right people this time.</span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="color:#1F497D"> </span><span lang="EN-IE"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="EN-IE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-IE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Kirk Hall (RD-US)
<br>
<b>Sent:</b> Monday, July 23, 2012 9:55 AM<br>
<b>To:</b> Derek Lohrey; Wayne Thayer (<a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>); Tim Moses (<a href="mailto:tim.moses@entrust.com">tim.moses@entrust.com</a>)<br>
<b>Cc:</b> Chris Bailey (RD-US)<br>
<b>Subject:</b> Question on Ballot 83 - Network and Certificate System Security Requirements</span><span lang="EN-IE"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-IE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE">Gentlemen – in looking at the Network and Certificate System Security Requirements, we are not convinced that the requirement of keeping the root CAs offline and/or air gapped makes sense. None of the breaches to date
involved compromise of the root CAs, and this will limit the ability of a CA to maintain current root CRLs on a frequent (balanced) basis (having the roots push out CRLs in a secure environment in an automated fashion), but arguably will require manual procedures
at frequent intervals.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE">Are you in support of this particular requirement? Is it worth raising this as an issue, and asking for modification?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE">I know we raised this in the past, but I don’t recall that we ever got a specific response back on why roots in particular had to be kept offline or air/gapped.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE"> <o:p></o:p></span></p>
<p class="MsoNormal"><b><i><span lang="EN-IE" style="font-size:14.0pt;font-family:"Bradley Hand ITC";color:#0F243E">Kirk R. Hall</span></i></b><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE">Operations Director, Trust Services<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE">Trend Micro<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE">+1.503.243.5405<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE"> <o:p></o:p></span></p>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="background:white;padding:.75pt .75pt .75pt .75pt">
<pre><span style="color:black">TREND MICRO EMAIL NOTICE</span><o:p></o:p></pre>
<pre><span style="color:black">The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.</span><o:p></o:p></pre>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span lang="EN-IE" style="font-size:12.0pt;font-family:"Times New Roman","serif""> </span><span lang="EN-IE"><o:p></o:p></span></p>
</div>
</blockquote>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="background:white;padding:.75pt .75pt .75pt .75pt">
<pre><span style="color:black">TREND MICRO EMAIL NOTICE<o:p></o:p></span></pre>
<pre><span style="color:black">The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.<o:p></o:p></span></pre>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span lang="EN-IE" style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
</div>
</body>
</html>