<div dir="ltr"><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Peter Bowen</b> <span dir="ltr"><<a href="mailto:pzbowen@gmail.com">pzbowen@gmail.com</a>></span><br>Date: Thu, Aug 20, 2015 at 9:17 PM<br>Subject: [CABFORUM] Questions on the network & certificate system security requirements<br>To: Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>><br><br><br>I've gotten several different interpretations of the network security<br>
requirements that are included in version 2 of the WebTrust SSL<br>
Baseline with Network Security criteria (which are the Network and<br>
Certificate System Security Requirements set forth by the CA/Browser<br>
Forum). I have two questions:<br>
<br>
According to the Requirements, each CA must maintain and protect<br>
Issuing Systems, Certificate Management Systems, and Security Support<br>
Systems in at least a Secure Zone (1.d), ensure that only personnel<br>
assigned to Trusted Roles have access to Secure Zones and High<br>
Security Zones (2.c), and apply the same security controls to all<br>
systems co-located in the same zone with a Certificate System. (1.b).<br>
"Certificate Management Systems" are systems to used process, approve<br>
issuance of, or store certificates or certificate status information,<br>
including the database, database server, and storage.<br>
<br>
This would appear to include OCSP responders, systems that store OCSP<br>
responses, and repositories storing CRLs or certificates. This would<br>
appear to make it very hard to use CDNs, as they are clearly storing<br>
certificate status information but are not in a secure zone. Is this<br>
the intent?<br>
<br>
There is also a requirement around remote administration or access to<br>
certain systems (2.o). However "remote" is not defined. Does remote<br>
mean access other than by connecting the system via a local console or<br>
is there another definition of remote?<br>
<br>
Thanks,<br>
Peter<br>
</div><br></div>