<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Bradley Hand ITC";
panose-1:3 7 4 2 5 3 2 3 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.Standard, li.Standard, div.Standard
{mso-style-name:Standard;
margin-top:0in;
margin-right:0in;
margin-bottom:10.0pt;
margin-left:0in;
line-height:115%;
punctuation-wrap:simple;
text-autospace:none;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle30
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>There are several comments in this thread that have not been supported with facts or an adequate basis to show the exact problem with the current wording or to give sufficient support to a change. A publicly trusted CA should maintain an offline root. If the system needs to be up and running, then it should be air-gapped. Why would a CA want to expose itself and its users unnecessarily by maintaining an online root CA that wasn’t protected by an air gap? In light of Stuxnet and Flame, do we really think that it would be a good idea for publicly trusted CAs? Also, if the security document had problems, why are they being raised now? There has been plenty of time and opportunity before now to submit comments. I’ve told others that I thought it was a little too late to wordsmith and that they should submit a motion for an errata after adoption. What do we tell them now? Also, the proposed wording is too broad for the specific problem and any exception should be narrowly tailored. I would think that those root CAs needing to stay online in order to issue CRLs for certificates previously issued could be identified and disclosed so that we know the relative impact of a proposed change. But as proposed, we are no longer talking only about legacy Root CAs that need to remain online only for the purpose of issuing CRLs. The proposed language appears to grandfather all CAs with an issue date indicating they were created before the Effective Date. So what are we accomplishing and for what purpose? If I were to entertain an amendment on the proposed language, then other members would likely vote against the document (and the proposal below is not amendment to the motion, it is an amendment to the document). So I believe the only way to move forward is to push the current document to vote. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Bruce Morton<br><b>Sent:</b> Thursday, July 26, 2012 11:16 AM<br><b>To:</b> 'Rick Andrews'; 'public@cabforum.org'<br><b>Subject:</b> Re: [cabfpub] FW: Question on Ballot 83 - Network and Certificate System Security Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Entrust would favor the change recommended below.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Bruce.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> <a href="mailto:[mailto:public-bounces@cabforum.org]">[mailto:public-bounces@cabforum.org]</a> <b>On Behalf Of </b>Rick Andrews<br><b>Sent:</b> Thursday, July 26, 2012 12:10 PM<br><b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> [cabfpub] FW: Question on Ballot 83 - Network and Certificate System Security Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>Sending to a broader audience.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>Ben, please consider this amendment to your motion.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rick Andrews <br><b>Sent:</b> Tuesday, July 24, 2012 2:30 PM<br><b>To:</b> 'chris_bailey@trendmicro.com'; Dean Coclin<br><b>Cc:</b> <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>; <a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>; <a href="mailto:tim.moses@entrust.com">tim.moses@entrust.com</a><br><b>Subject:</b> RE: Question on Ballot 83 - Network and Certificate System Security Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-IE><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>Chris,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>I believe the document imposes password restrictions only on user accounts, not hardware like smart cards. But I think we’re fine delaying the vote to give more people a chance to look more deeply at this (I think few people commented on it before Ben sent it out for balloting).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>For the air-gap sentence, I propose changing<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>“</span><span lang=EN-IE style='font-family:"Cambria","serif"'>Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks;</span><span lang=EN-IE style='color:#1F497D'>”<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>To<o:p></o:p></span></p><p class=Standard style='margin-bottom:12.0pt;line-height:normal'><span style='color:#1F497D'>“</span><span style='font-family:"Cambria","serif"'>Maintain Root CA Systems in a High Security Zone; to the greatest extent possible, keep Root CA Systems in an offline state or air-gapped from all other networks. Minimize the number of legacy Root CA Systems (created before the Effective Date) that must be kept online, and if possible restrict them to CRL signing only.</span><span style='color:#1F497D'>”</span><span style='font-family:"Cambria","serif"'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>What do you think of that change?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:chris_bailey@trendmicro.com">chris_bailey@trendmicro.com</a> <a href="mailto:[mailto:chris_bailey@trendmicro.com]">[mailto:chris_bailey@trendmicro.com]</a> <br><b>Sent:</b> Tuesday, July 24, 2012 1:15 PM<br><b>To:</b> Dean Coclin<br><b>Cc:</b> <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>; Rick Andrews; <a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>; <a href="mailto:tim.moses@entrust.com">tim.moses@entrust.com</a><br><b>Subject:</b> Re: Question on Ballot 83 - Network and Certificate System Security Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-IE><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-IE>Dean,<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-IE><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-IE>I <span class=apple-style-span>agree. Additionally, there are other issues that are in this ballot that I would consider "recommended when practical". For example, there are certain smart cards that only allow a limited set of characters for the password. If these smart cards are used for offline backups, do these backups need to be refreshed every 3 months? I am sure there are other things in here as well, so I would like some more time to measure the impact to our own infrastructure and to make sure that it is not going to be an issue for other CAs as well if this ballot will be required.</span><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-IE><o:p> </o:p></span></p></div><div><p class=MsoNormal><span class=apple-style-span><span lang=EN-IE>So, we can either propose a delay in the vote and then offer to change the language or simply vote no to the ballot.</span></span><span lang=EN-IE><o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-IE><o:p> </o:p></span></p></div><div><p class=MsoNormal><span class=apple-style-span><span lang=EN-IE>Any thought?</span></span><span lang=EN-IE><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-IE><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-IE><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-IE>Thanks,<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-IE><o:p> </o:p></span></p></div><div><p class=MsoNormal><span lang=EN-IE>Chris<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-IE><br>Sent from my iPad<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-IE><br>On Jul 24, 2012, at 12:17 PM, "Dean Coclin" <<a href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>> wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>I’ll amend what I said a bit: there are some “legacy” systems that may have issued off the root in the past and will be required to issue CRLs going forward off the root. So I think these reqts should specify some sort of date so that legacy systems should be covered.</span><span lang=EN-IE><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'><br>Dean</span><span lang=EN-IE><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'> </span><span lang=EN-IE><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-IE style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-IE style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Dean Coclin <br><b>Sent:</b> Monday, July 23, 2012 2:29 PM<br><b>To:</b> '<a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a>'; Rick Andrews<br><b>Cc:</b> <a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>; <a href="mailto:tim.moses@entrust.com">tim.moses@entrust.com</a>; <a href="mailto:chris_bailey@trendmicro.com">chris_bailey@trendmicro.com</a><br><b>Subject:</b> RE: Question on Ballot 83 - Network and Certificate System Security Requirements</span><span lang=EN-IE><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-IE> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>It’s always good security practice to keep the roots offline. This is pretty standard in most PKIs as well as in the Federal CP. We are in support of this requirement.</span><span lang=EN-IE><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'> </span><span lang=EN-IE><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>Dean</span><span lang=EN-IE><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'> </span><span lang=EN-IE><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-IE style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-IE style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:kirk_hall@trendmicro.com">kirk_hall@trendmicro.com</a> <a href="mailto:[mailto:kirk_hall@trendmicro.com]">[mailto:kirk_hall@trendmicro.com]</a> <br><b>Sent:</b> Monday, July 23, 2012 2:20 PM<br><b>To:</b> Dean Coclin; Rick Andrews<br><b>Cc:</b> <a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>; <a href="mailto:tim.moses@entrust.com">tim.moses@entrust.com</a>; <a href="mailto:chris_bailey@trendmicro.com">chris_bailey@trendmicro.com</a><br><b>Subject:</b> FW: Question on Ballot 83 - Network and Certificate System Security Requirements</span><span lang=EN-IE><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-IE> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'>Resending with the right people this time.</span><span lang=EN-IE><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE style='color:#1F497D'> </span><span lang=EN-IE><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-IE style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-IE style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Kirk Hall (RD-US) <br><b>Sent:</b> Monday, July 23, 2012 9:55 AM<br><b>To:</b> Derek Lohrey; Wayne Thayer (<a href="mailto:wthayer@godaddy.com">wthayer@godaddy.com</a>); Tim Moses (<a href="mailto:tim.moses@entrust.com">tim.moses@entrust.com</a>)<br><b>Cc:</b> Chris Bailey (RD-US)<br><b>Subject:</b> Question on Ballot 83 - Network and Certificate System Security Requirements</span><span lang=EN-IE><o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-IE> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE>Gentlemen – in looking at the Network and Certificate System Security Requirements, we are not convinced that the requirement of keeping the root CAs offline and/or air gapped makes sense. None of the breaches to date involved compromise of the root CAs, and this will limit the ability of a CA to maintain current root CRLs on a frequent (balanced) basis (having the roots push out CRLs in a secure environment in an automated fashion), but arguably will require manual procedures at frequent intervals.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE>Are you in support of this particular requirement? Is it worth raising this as an issue, and asking for modification?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE>I know we raised this in the past, but I don’t recall that we ever got a specific response back on why roots in particular had to be kept offline or air/gapped. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE> <o:p></o:p></span></p><p class=MsoNormal><b><i><span lang=EN-IE style='font-size:14.0pt;font-family:"Bradley Hand ITC";color:#0F243E'>Kirk R. Hall</span></i></b><span lang=EN-IE><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE>Operations Director, Trust Services<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE>Trend Micro<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE>+1.503.243.5405<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-IE> <o:p></o:p></span></p><table class=MsoNormalTable border=0 cellpadding=0><tr><td style='background:white;padding:.75pt .75pt .75pt .75pt'><pre><span style='color:black'>TREND MICRO EMAIL NOTICE</span><o:p></o:p></pre><pre><span style='color:black'>The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.</span><o:p></o:p></pre></td></tr></table><p class=MsoNormal><span lang=EN-IE style='font-size:12.0pt;font-family:"Times New Roman","serif"'> </span><span lang=EN-IE><o:p></o:p></span></p></div></blockquote><table class=MsoNormalTable border=0 cellpadding=0><tr><td style='background:white;padding:.75pt .75pt .75pt .75pt'><pre><span style='color:black'>TREND MICRO EMAIL NOTICE<o:p></o:p></span></pre><pre><span style='color:black'>The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.<o:p></o:p></span></pre></td></tr></table><p class=MsoNormal><span lang=EN-IE style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p></div></body></html>