<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>SSL.com votes yes</p>
<p>Leo<br>
</p>
<br>
<div class="moz-cite-prefix">On 8/30/2017 6:22 PM, Kirk Hall wrote:<br>
</div>
<blockquote type="cite"
cite="mid:4f6070c8a30d4ca99b5bf7c5361d9a72@PMSPEX04.corporate.datacard.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p>�</o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p>�</o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Kirk Hall <br>
<b>Sent:</b> Friday, August 25, 2017 8:47 AM<br>
<b>To:</b> CA/Browser Forum Public Discussion List
<a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
<b>Subject:</b> Voting has started on Ballot 210 (NetSec
Revisions)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p>�</o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Entrust votes
yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p>�</o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Public [<a
href="mailto:public-bounces@cabforum.org"
moz-do-not-send="true">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ben Wilson via Public<br>
<b>Sent:</b> Saturday, August 12, 2017 8:30 PM<br>
<b>To:</b> CABFPub <<a
href="mailto:public@cabforum.org" moz-do-not-send="true">public@cabforum.org</a>><br>
<b>Subject:<span style="color:#1F497D"> </span></b>cabfpub]
Ballot 210: Misc. Changes to the Network and Certificate
System Security Requirements<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p>�</o:p></p>
<p class="line874">The discussion period for this ballot is 12
days to give everyone ample time to review it.� Voting will
start at 2200 UTC on Thursday, August 24, 2017.<o:p></o:p></p>
<p class="line874">The Network Security Working Group recommends
that the Forum make the following minor revisions to the
Network and Certificate System Security Requirements. ��(Other
changes are being considered by the Working Group and will be
presented in due course.)<o:p></o:p></p>
<p class="line874">The following ballot is proposed by Dimitris
Zacharopoulos of HARICA and endorsed by Ben Wilson of DigiCert
and Neil Dunbar of TrustCor.<o:p></o:p></p>
<p class="line874">--Motion Begins-- <o:p></o:p></p>
<p class="line874">In the Network and Certificate System
Security Requirements: <o:p>
</o:p></p>
<p class="line862">ADD ETSI EN 319 411-1 to first sentence of
the Scope and Applicability section so that it reads "These
Network and Certificate System Security Requirements
(Requirements) apply to all publicly trusted Certification
Authorities (CAs) and are adopted with the intent that all
such CAs and Delegated Third Parties be audited for conformity
with these Requirements as soon as they have been incorporated
as mandatory requirements (if not already mandatory
requirements) in the root embedding program for any major
Internet browsing client and that they be incorporated into
the WebTrust Service Principles and Criteria for Certification
Authorities, ETSI TS 101 456, ETSI TS 102 042 and ETSI EN 319
411-1 including revisions and implementations thereof,
including any audit scheme that purports to determine
conformity therewith." <o:p></o:p></p>
<p class="line874">REPLACE section 1.a. with "a. Segment
Certificate Systems into networks based on their functional or
logical relationship, for example separate physical networks
or VLANs;"
<o:p></o:p></p>
<p class="line874">REPLACE section 1.b. with "b. Apply
equivalent security controls to all systems co-located in the
same network with a Certificate System;"
<o:p></o:p></p>
<p class="line874">REPLACE "90 days" with "three (3) months" in
section 2.g.ii. and 2.j so that they read "ii. For accounts
that are accessible from outside a Secure Zone or High
Security Zone, require that passwords have at least eight (8)
characters, be changed at least every three (3) months, use a
combination of at least numeric and alphabetic characters,
that are not a dictionary word or on a list of previously
disclosed human-generated passwords, and not be one of the
user's previous four (4) passwords; and implement account
lockout for failed access attempts in accordance with
subsection k; OR" <o:p>
</o:p></p>
<p class="line874">AND <o:p></o:p></p>
<p class="line874">"j. Review all system accounts at least every
three (3) months and deactivate any accounts that are no
longer necessary for operations;"
<o:p></o:p></p>
<p class="line874">REPLACE section 2.m. with "m. Enforce
multi-factor OR multi-party authentication for administrator
access to Issuing Systems and Certificate Management Systems;"
<o:p></o:p></p>
<p class="line874">REPLACE section 2.o. with "o. Restrict remote
administration or access to an Issuing System, Certificate
Management System, or Security Support System except when: (i)
the remote connection originates from a device owned or
controlled by the CA or Delegated Third Party, (ii) the remote
connection is through a temporary, non-persistent encrypted
channel that is supported by multi-factor authentication, and
(iii) the remote connection is made to a designated
intermediary device (a) located within the CA�s network, (b)
secured in accordance with these Requirements, and (c) that
mediates the remote connection to the Issuing System."
<o:p></o:p></p>
<p class="line874">REPLACE "every 30 days and" with "once a
month to" in section 3.e. so that it reads "e. Conduct a human
review of application and system logs at least once a month to
validate the integrity of logging processes and ensure that
monitoring, logging, alerting, and log-integrity-verification
functions are operating properly (the CA or Delegated Third
Party MAY use an in-house or third-party audit log reduction
and analysis tool); and"
<o:p></o:p></p>
<p class="line874">REPLACE 4.a. with "a. Implement intrusion
detection and prevention controls under the control of CA or
Delegated Third Party Trusted Roles to protect Certificate
Systems against common network and system threats;"
<o:p></o:p></p>
<p class="line874">REPLACE 4.C. with "c. Undergo or perform a
Vulnerability Scan (i) within one (1) week of receiving a
request from the CA/Browser Forum, (ii) after any system or
network changes that the CA determines are significant, and
(iii) at least every three (3) months, on public and private
IP addresses identified by the CA or Delegated Third Party as
the CA�s or Delegated Third Party�s Certificate Systems;"
<o:p></o:p></p>
<p class="line874">REPLACE the definition of Security Support
System in the Definitions with "Security Support System: A
system used to provide security support functions, which MAY
include authentication, network boundary control, audit
logging, audit log reduction and analysis, vulnerability
scanning, and intrusion detection (Host-based intrusion
detection, Network-based intrusion detection)."
<o:p></o:p></p>
<p class="line862">Make other editorial changes as indicated at
<a href="https://github.com/cabforum/documents/pull/64/files"
moz-do-not-send="true">
https://github.com/cabforum/documents/pull/64/files</a> and
in the attached PDF. <o:p>
</o:p></p>
<p class="line874">--Motion Ends�<o:p></o:p></p>
<p class="line874">The procedure for approval of this Final
Maintenance Guideline ballot is as follows:<o:p></o:p></p>
<p class="line874">BALLOT 210 - Final Maintenance Guideline <o:p></o:p></p>
<p class="line874">Relevant Start times and End Times are 22:00
UTC<o:p></o:p></p>
<p class="line874">Discussion (7 to 14 days) Start: August 17,
2017 ����End: August 24, 2017<o:p></o:p></p>
<p class="line874">Vote for approval (7 days) Start: August 24,
2017 ���End:� August 31, 2017<o:p></o:p></p>
<p class="line874">If a vote of the Forum approves this ballot,
the Chair will initiate a 30-day IPR Review Period by sending
out an IPR Review Notice.<o:p></o:p></p>
<p class="line874">After 30 days of announcing the IPR Review
period by the Chair:<o:p></o:p></p>
<p class="line874">(a) If Exclusion Notice(s) are filed, this
ballot approval is rescinded and a PAG will be created; or (b)
If no Exclusion Notices are filed, this ballot becomes
effective at end of the IPR Review Period.<o:p></o:p></p>
<p class="line874">From Bylaw 2.3: If the Draft Guideline Ballot
is proposing a Final Maintenance Guideline, such ballot will
include a redline or comparison showing the set of changes
from the Final Guideline section(s) intended to become a Final
Maintenance Guideline, and need not include a copy of the full
set of guidelines. Such redline or comparison shall be made
against the Final Guideline section(s) as they exist at the
time a ballot is proposed, and need not take into
consideration other ballots that may be proposed subsequently,
except as provided in Bylaw Section 2.3(j).<o:p></o:p></p>
<p class="line874">Votes must be cast by posting an on-list
reply to this thread on the Public list. A vote in favor of
the motion must indicate a clear 'yes' in the response. A vote
against must indicate a clear 'no' in the response. A vote to
abstain must indicate a clear 'abstain' in the response.
Unclear responses will not be counted. The latest vote
received from any representative of a voting member before the
close of the voting period will be counted. Voting members are
listed here:
<a href="https://cabforum.org/members/" moz-do-not-send="true">https://cabforum.org/members/</a><o:p></o:p></p>
<p class="line874">In order for the motion to be adopted, two
thirds or more of the votes cast by members in the CA category
and greater than 50% of the votes cast by members in the
browser category must be in favor. Quorum is half of the
number of currently active Members, which is the average
number of Member organizations that have participated in the
previous three Forum-wide meetings (both teleconferences and
face-to-face meetings). Under Bylaw 2.2(g), at least the
required quorum number must participate in the ballot for the
ballot to be valid, either by voting in favor, voting against,
or abstaining.<o:p></o:p></p>
<p class="line874"><o:p>�</o:p></p>
</div>
</blockquote>
<br>
</body>
</html>