<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:220136725;
mso-list-type:hybrid;
mso-list-template-ids:436648752 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>In addition to the concerns raised by Peter, additional issues with the Network Security Guidelines are:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>They haven’t been updated in a long time, nor are they currently being updated. <o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>There are better audit regimes for network security. If there are particular items that apply to only CAs, we should take those and incorporate them into the Baseline Requirements while moving the more general framework to a group with better expertise. <o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Zones are oddly defined and inconsistent<o:p></o:p></span></li></ol><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></a></p><span style='mso-bookmark:_MailEndCompose'></span><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Public [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Peter Bowen via Public<br><b>Sent:</b> Sunday, June 11, 2017 10:01 PM<br><b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc:</b> Peter Bowen <pzb@amzn.com><br><b>Subject:</b> Re: [cabfpub] Send us you list of current problems with the Network Security Guidelines<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Below are a few things I’ve seen. I’m happy to put my name to them, so I’m posting to the public list:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>1) Offline CAs are treated the same as online CAs. For example, a system for CA that is based on HSMs stored in safes theoretically needs individual user logins with multi-factor access control. For systems where the HSMs has multi person access control, this is highly redundant.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>2) Root CAs are not required to be air gapped at all times.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>3) The scope is far larger than probably intended — it could be viewed as being as far reaching as including CDNs used to distribute CRLs and OCSP responses which have no ability to generate or modify the responses and systems the relay emails to domain contacts which are outside of the CA system<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>4) The segmentation requirements are confusing (and possibly contradictory): networks or zones based on their functional, logical, and physical (including location) relationship<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>5) It assumes passwords are the core authentication credential and does not align with current NIST guidance. Authentication requirements could probably be put in terms of NIST SP 800-63 AAL.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>6) It fails to define “multi-factor authentication”<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>7) It fails to define “remote” (used as part of “remote administration or access”); Is remote anything other then using a keyboard and monitor physically attached to the system motherboard?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>8) Certificate Management System and Security Support System definitions are both very broad. At least one interpretation prevents usage of any system accessible to persons who are not in Trusted Roles, even if such usage is not critical to system security. For example, the CA might have a corporate policy to send logs to a central log server in addition to CA specific log servers. It is not clear this is allowed.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>9) It has no concept of compensating controls; for example, a CA might want to implement channel authentication as an alternative to physical network segmentation (for example using TLS over VLANs rather than physically segmenting LANs).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The list goes on, but this should be a good start.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal>Peter<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Jun 9, 2017, at 2:29 PM, Kirk Hall via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Yes, we have also noticed “90 days” versus quarterly – Most quarters have more than 90 days.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Thanks.</span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><div><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span class=apple-converted-space><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> </span></span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Dean Coclin [<a href="mailto:Dean_Coclin@symantec.com"><span style='color:#954F72'>mailto:Dean_Coclin@symantec.com</span></a>]<span class=apple-converted-space> </span><br><b>Sent:</b><span class=apple-converted-space> </span>Friday, June 9, 2017 2:09 PM<br><b>To:</b><span class=apple-converted-space> </span>CA/Browser Forum Public Discussion List <<a href="mailto:public@cabforum.org"><span style='color:#954F72'>public@cabforum.org</span></a>><br><b>Cc:</b><span class=apple-converted-space> </span>Kirk Hall <<a href="mailto:Kirk.Hall@entrustdatacard.com"><span style='color:#954F72'>Kirk.Hall@entrustdatacard.com</span></a>><br><b>Subject:</b><span class=apple-converted-space> </span>[EXTERNAL]Re: [cabfpub] Send us you list of current problems with the Network Security Guidelines<o:p></o:p></span></p></div></div></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>One specific complaint from the auditors I believe was the specific time requirements in the document. For example, if it said you have to change the password at 90 days, and you did it on day 91, it would be an audit failure. I think Don has better examples but that's one I recall. <br><br>Sent from my iPhone<o:p></o:p></span></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><br>On Jun 9, 2017, at 4:35 PM, Kirk Hall via Public <<a href="mailto:public@cabforum.org"><span style='color:#954F72'>public@cabforum.org</span></a>> wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Bruce and I want to collect a preliminary list of current problems with the Network Security Guidelines (technically, the Network and Certificate System Security Requirements), so we can have a good discussion of possible new directions at the upcoming F2F.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>To that end –<span class=apple-converted-space> </span><u>please send Bruce and me a list of the specific requirements (and/or definitions) in the NetSec requirements that you think are most problematic</u><span class=apple-converted-space> </span>and which should be changed or dropped. If possible, give us the following data for each problematic issue:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div style='margin-left:.5in'><p class=MsoNormal style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>1.</span><span style='font-size:7.0pt'> <span class=apple-converted-space> </span></span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Section or definition of the NetSec Requirements that creates the problem<o:p></o:p></span></p></div><div style='margin-left:.5in'><p class=MsoNormal style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>2.</span><span style='font-size:7.0pt'> <span class=apple-converted-space> </span></span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>What is the problem?<o:p></o:p></span></p></div><div style='margin-left:.5in'><p class=MsoNormal style='text-indent:-.25in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>3.</span><span style='font-size:7.0pt'> <span class=apple-converted-space> </span></span><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>What is a possible solution (drop, amend, supplement), with suggested language.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Bruce and I will combine all suggestions received and report<span class=apple-converted-space> </span><i><u>anonymously</u></i><span class=apple-converted-space> </span>to the whole group for a discussion in Berlin. That may give the new Working Group some useful guidance for its ongoing work after that.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Thanks.<o:p></o:p></span></p></div></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal><Network_Security_Controls_V1.pdf><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org"><span style='color:#954F72'>Public@cabforum.org</span></a><br><a href="https://clicktime.symantec.com/a/1/f8a6ATZl_MnLwe29_m42V-mYnSdtACxRZX0POAv19Vo=?d=Yz3SpbucMfHwCGRoOuzLmlu9Wpr_caTWy3ILlB_IoLHc8KA0wZ9ZIIE0tt6_40GuyUeYNqwIwidNiKaKMu-5OhJUpI-0YmfQlXF6WVerqU-ErugytgRRUvyO4rzY8NCkhG397tCFH2roGFp5G4M7Xr7HurgCIsLKvk_CMVy_W33a8G7xs-zP44TZmNNnklelkmp9rYeMxGizl_l43PaLWEPq3okEBqK1ZLhxicxRW5Q-DJpP7uamThvBEDxql9A4GfwEQidWB4-Z4LlFYTHzdzZ1KHdONbJspvsEhltqHQiSSKHqcjPVfopD6S_b1Il_kJ7UeffHCM2fbGuZM3-ATtW4erUTkCsgco80th_9K1GTEs0Ligy4OOIZyCqOKL88l3ZOGCvzMBdsibgW7vTwBA2LhcZdTn_Nqiq7Lfh2iJXO2hDVk8yYzplKWu7J_J7XdsTZJuufN_61qCXKBjZC5VS3fw%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic"><span style='color:#954F72'>https://clicktime.symantec.com/a/1/f8a6ATZl_MnLwe29_m42V-mYnSdtACxRZX0POAv19Vo=?d=Yz3SpbucMfHwCGRoOuzLmlu9Wpr_caTWy3ILlB_IoLHc8KA0wZ9ZIIE0tt6_40GuyUeYNqwIwidNiKaKMu-5OhJUpI-0YmfQlXF6WVerqU-ErugytgRRUvyO4rzY8NCkhG397tCFH2roGFp5G4M7Xr7HurgCIsLKvk_CMVy_W33a8G7xs-zP44TZmNNnklelkmp9rYeMxGizl_l43PaLWEPq3okEBqK1ZLhxicxRW5Q-DJpP7uamThvBEDxql9A4GfwEQidWB4-Z4LlFYTHzdzZ1KHdONbJspvsEhltqHQiSSKHqcjPVfopD6S_b1Il_kJ7UeffHCM2fbGuZM3-ATtW4erUTkCsgco80th_9K1GTEs0Ligy4OOIZyCqOKL88l3ZOGCvzMBdsibgW7vTwBA2LhcZdTn_Nqiq7Lfh2iJXO2hDVk8yYzplKWu7J_J7XdsTZJuufN_61qCXKBjZC5VS3fw%3D%3D&u=https%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fpublic</span></a><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p></o:p></span></p></div></div></blockquote><p class=MsoNormal><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif'>_______________________________________________<br>Public mailing list<br></span><a href="mailto:Public@cabforum.org"><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72'>Public@cabforum.org</span></a><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif'><br></span><a href="https://cabforum.org/mailman/listinfo/public"><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72'>https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></body></html>