<div dir="ltr"><div dir="ltr">Hi Ryan,</div><div dir="ltr"><br></div><div>See responses below.</div><div><br></div><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jun 26, 2020 at 1:40 PM Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Thanks for sharing this, Ben. I appreciate the detailed motivations.</div><div><br></div><div>This seems like a rather significant and substantial change to the security properties of CAs. I'm a bit nervous about the "or Delegated Third Party" inclusions here, this seems like it would reduce the effective security controls rather substantially, right?</div><div><br></div></div></blockquote><div>
<font size="2"><span style="line-height:107%;font-family:"Calibri",sans-serif">The
NCSSRs have always applied to Delegated Third Parties (DTPs), and DTPs are
required to comply with them. For this ballot, we're trying to minimize the
changes by focusing on the removal of the term “zone” and thereby limit the
number of changes that we are making to the NCSSRs as much as possible. DTPs are
mentioned at the beginning of section 2, and were already mentioned in section 2.n.
“Enforce Multi-Factor Authentication for all Trusted Role accounts on
Certificate Systems (including those approving the issuance of a Certificate,
which equally applies to Delegated Third Parties) ….”<span> </span>By adding “the CA’s or Delegated Third
Party’s network” we are only replacing “Secure Zone” and “High Security Zone”.</span></font>
</div><div></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div><div>There's also a host of other things that I think merit raising an eyebrow. For example, "lockable enclosures" doesn't require that they actually be secured in locked enclosures, just that they could be. For example, if I always left my cage unlocked, it still seems like it would be fully compliant.</div><div><br></div></div></blockquote><div>
<font size="2"><span style="line-height:107%;font-family:"Calibri",sans-serif">This
point was discussed in the committee. We noted, for instance, that as amended, section
5.1.2 would say, “CAs SHALL ensure that CA Equipment is protected by physical
locks equipped with access control devices”.<span> We believed that common sense and that this and other language would not lead CAs to believe that they could leave cages, etc., unlocked.
</span>However, we can reword this amendment to BR section 5.1.1. and use the
term “locked enclosures.” </span></font>
</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div><div>I'm quite worried about the introduction of "trusted networks" into the NSRs. This was, of course, a concern Google raised as far back as 2012 when discussing the NCSSRs, as trusted networks generally encourage unsafe assumptions. This concept appears in several places (1.e, 2.g, 2.n)</div><div><br></div></div></blockquote><div>
<font size="2"><span style="line-height:107%;font-family:"Calibri",sans-serif">The
NCSSRs have always recognized a distinction between a CA’s network and an outside
network. We can address the issue you raise in a subsequent ballot. Here, in
this ballot, we have only added the "non-trusted network" distinction
in section 1.e. (as an alternative to "public network").<span> </span>We believe that “non-trusted network” is a good
alternative to “public network”.<span> </span>In
response to your concern, however, there is nothing to suggest that
"trusted" networks peculiarly suffer from insecure practices just
because they are considered "trusted". Similar to what is allowed for
a Trusted Role to perform, a trusted network is one in which different security
policies are allowed to exist. A non-trusted network would be one that is not managed,
owned and operated, by the CA. It is non-trusted because the CA is not in a
position to control or detect anomalous behavior occurring within it. So there
is a monitoring element to the distinction between the two. In a perfect world,
we would not have any trusted networks and rely entirely on strongly attestable
properties of endpoints communicating across the non-trusted substrate, but the
state of the technology is not there yet, so enclaves of traffic restricted
communications are the current state.<span> </span>We
would be interested in knowing why you think that trusted networks are inadequately
secure in light of the NCSSRs; and in future iterations, we can build in
additional requirements.</span></font>
</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div><div>It's not clear to me that this, overall, is a net improvement. That is, it seems to weaken the logical security controls, while allowing a substantial mixing of the physical security controls. I would think that, in general, we would be better served by ensuring such zones are both logically AND physically distinct, but this seems to allow mixing such access entirely; as you note, High Security Zone and Secure Zone are now functionally indistinguishable.</div><div><br></div></div></blockquote><div>
<font size="2"><span style="line-height:107%;font-family:"Calibri",sans-serif">The
current NCSSRs never had a High Security logical zone. "High
Security" was defined as a physical location. We are working on improving the
distinction between physical and logical security and strengthening logical
security requirements. In fact, we have a draft ballot for offline CAs that separates
out physical and logical security.<span> </span></span></font>
</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div><div>Am I overlooking important details about why these concerns might not be valid, or why this lowering of security might be desirable?</div></div></blockquote><div> </div><div><font size="2">We agree with your sentiments, but the committee believes that our ballot strategy will strengthen security because in the end we'll be able to have clearer, more enforceable provisions.</font><br></div><div> </div><div>Ben</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jun 26, 2020 at 2:56 PM Ben Wilson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><font size="4">This email begins the discussion period for Ballot SC32.</font></div><div>
<p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt" id="gmail-m_-6522316728675327519gmail-m_1964699310879825522gmail-docs-internal-guid-5c0c1ca4-7fff-0066-9496-2af7b8bc45fc"><span style="font-size:12pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Purpose of Ballot:</span><span style="font-size:12pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> To remove ambiguity and delineate requirements for physical security and logical security.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The Network and Certificate System Security Requirements (NCSSRs) were drafted with the concept of physical and logical “Zones” (Secure Zones, High Security Zones, and everything else outside those zones). However, the approach did not clearly separate the physical security aspects from the logical security aspects. “Zone” was defined as a “subset of Certificate Systems created by the </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">logical</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">or</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">physical</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> partitioning of systems from other Certificate Systems,” and “Secure Zone” was defined as an “area (</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">physical</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">or</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">logical</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">) protected by </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">physical and logical controls</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> that appropriately protect the confidentiality, integrity, and availability of Certificate Systems.” “High Security Zone” was defined as a physical area— "A </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">physical location</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> where a CA’s or Delegated Third Party’s Private Key or cryptographic hardware is located”.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">It has been difficult for auditors and CAs to delineate when NCSSR controls are appropriate from a logical perspective versus a physical perspective for various aspects of the CA’s operation, and the NCSSRs could benefit from greater clarity. </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">This ballot proposes to remove the term “zone” from the NCSSRs, and definitions of “Zone,” “Secure Zone,” and “High Security Zone” will be deleted. Two approaches will address physical security: (1) section 5.1 of the Baseline Requirements will be enhanced, and (2) the NCSSRs will contain cross-references to section 5.1 of the Baseline Requirements. For logical security, the term “Secure Zone” will be replaced with “CA’s network” or “Certificate Systems”.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Baseline Requirements</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:0pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">This ballot amends the Baseline Requirements by adding a definition for “CA Equipment” to section 1.6.1 as follows: “Hardware involved in the issuance of certificates or the signing of certificate status information, e.g. signing servers and appliances that issue certificates, sign CRLs, or generate OCSP responses.” </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The following language will be added in section 5.1 of the Baseline Requirements:</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><b><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">BR § 5.1.1. Site location and construction</span></b></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">CAs SHALL ensure that CA Equipment is located in an environment that provides physical security through the use of lockable enclosures (e.g. locked rooms, cages, safes, or cabinets).</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><b><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">BR § 5.1.2. Physical access</span></b></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">CAs SHALL ensure that CA Equipment is protected by physical locks equipped with access control devices (e.g. keys, tokens, biometric readers, and/or access control lists) that control physical access to CA Equipment.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:0pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Sections 5.1.3 through 5.1.8 of the BRs have been populated with language requiring other physical environment protections, e.g. “CAs SHALL ensure that CA Equipment is protected from damage due to water exposure”, etc. (See redline/diff for exact text.)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Rationale:</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> These proposed additions simply restate the basic physical environmental requirements that CAs must meet.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:0pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Section 1.c.</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:0pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Section 1.c of the NCSSRs will be amended to require CAs to maintain Root CA Systems in accordance with BR section 5.1, and in an offline state or air-gapped from all other networks. (See redline/diff for exact text.)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:0pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Rationale:</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> CAs currently keep these offline systems in a physically secure environment. Also, the proposed additional language to the Baseline Requirements will ensure there is less wiggle room concerning the actual physical protections for critical CA Equipment.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Section 1.d.</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Section 1.d. will be amended to require CAs to maintain and protect </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Certificate Systems</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, Issuing Systems, Certificate Management Systems, </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Front End / Internal Support Systems</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, and Security Support Systems in accordance with section 5.1 of the Baseline Requirements. (See redline/diff for exact text.)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Rationale:</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> This modification replaces the term “Secure Zone.” The definition of “Secure Zone” as a physical OR logical area has been a major cause of confusion. An early draft of the NCSSRs defined “Secure Zone” as “The area where the CA’s and Delegated Trusted Agent’s equipment used in providing Certificate Services are located. The Secure Zone is often inside a data center or network operations center.” In this section, “Secure Zone” is replaced with a reference to the requirements of BR section 5.1 to clarify the original intent of this section to address physical security, that systems be located in at least a physically secure area (while section 1.e., below, was meant to address the logical security of CA systems). Note that another aspect of this revision is that it adds Certificate Systems and Front End / Internal Support Systems to the group of systems that need to be physically protected. </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Section 1.e.</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Section 1.e. will require CAs to implement and configure Security Support Systems that secure and protect communications and </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Certificate Systems</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> from non-trusted networks. (See redline/diff for exact text.)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Rationale:</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> A “Security Support System” is a “system used to provide security support functions, which MAY include authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and intrusion detection (Host-based intrusion detection, Network-based intrusion detection).” This provision requires the use of a system to provide logical security to protect communications and Certificate Systems from external threats. The ballot also deletes the parenthetical “including those with organizational business units that do not provide PKI-related services” because it is unnecessary as it is already included as part of public networks and communications with public networks.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Section 2.c.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Amendments to section 2.c. will require that only persons in Trusted Roles have </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">logical or physical access</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> to </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Certificate Systems, Issuing Systems, Certificate Management Systems, Front End / Internal Support Systems, and Security Support Systems</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. (See redline/diff for exact text.)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Rationale:</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> Section 2.c. currently says that access to Secure Zones and High Security Zones can only be granted to persons in Trusted Roles. It does not currently specify the types of access that persons in Trusted Roles have or to which systems.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Section 2.g.</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">This section will likely be modified further in a subsequent ballot, but meanwhile it will retain the current password rules (based on whether or not the user is inside the CA’s network). If authentication occurs within </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">the CA’s network</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, then the password must be at least 12 characters, but if authentication occurs from </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">outside the CA’s network</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, then Multi-Factor Authentication must be used, and any password used must be at least 8 characters and not one of the previous 4 passwords. The CA must also implement the account lockout provisions of section 2.k. The phrase in ii. “cross a zone boundary into a Secure Zone or High Security Zone” is replaced with the phrase “For authentications from outside the boundary of the CA’s network.” (See motion language and redline/diff for exact text.)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Rationale:</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> The terms “Secure Zone” and “High Security Zone” are being removed from the NCSSRs. The current version of 2.g.ii. has two sentences that can be combined into one, which will eliminate ambiguity caused by having two separate sentences with slightly different phrasing. These two sentences read, “For authentications which cross a zone boundary into a Secure Zone or High Security Zone, require Multi-Factor Authentication. For accounts accessible from outside a Secure Zone or High Security Zone require passwords ….” A reader might find these two sentences contradictory. Rephrasing the sentence as a series of requirements eliminates the potential confusion -- “For authentications from outside the boundary of the CA’s network: require Multi-Factor Authentication, require passwords that have at least eight (8) characters and are not one of the user's previous four (4) passwords, and implement account lockout for failed access attempts in accordance with subsection k.” (Note – this doesn’t require that passwords be used -- the opening part of g. makes it conditional on using a password in the first place, “If an authentication control used by a Trusted Role is a username and password, then, where technically feasible, implement the following controls:” ….)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Section 2.n.</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The last part of the requirement replaces the phrase “a Secure Zone or High Security Zone” with “the CA’s or Delegated Third Party’s network” so that the section reads, “Enforce Multi-Factor Authentication for all Trusted Role accounts on Certificate Systems (including those approving the issuance of a Certificate, which equally applies to Delegated Third Parties) that are accessible from outside </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">the CA’s or Delegated Third Party’s network</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">.” (See redline/diff for exact text.)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Rationale:</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> This modification makes no substantive changes apart from the replacement of terms as described above. Future efforts by the Network Security Subcommittee can address whether and how section 2.n. can be integrated into section 2.g. </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">NCSSR DEFINITIONS</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Definition of “Critical Security Event”</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> – The phrase “a Zone’s” is removed so that the definition reads, “Detection of an event, a set of circumstances, or anomalous activity that could lead to a circumvention of security controls or a compromise of a Certificate System’s integrity, ….” (See redline/diff for exact text.)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Rationale:</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> Removal of the phrase “a Zone’s” doesn’t substantially change an interpretation of the defined term.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Definition of “Trusted Role”</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> – The phrase “a Secure Zone or High Security Zone” is being replaced so that the definition will read, “An employee or contractor of a CA or Delegated Third Party who has authorized access to or control over a Root CA System, Certificate System, Issuing System, Certificate Management System, Front End / Internal Support System, or Security Support System.”</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Rationale:</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> This modification is consistent with the elimination of “Zone” from the NCSSRs.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Deleting “High Security Zone,” “Security Zone,” and “Zone”</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> – as described above.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"><br></span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><b><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The following motion has been proposed by Ben Wilson of Mozilla and endorsed by Trev Ponds-White of Amazon and Neil Dunbar of TrustCor Systems.</span></b></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><b><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> --- MOTION BEGINS ---</span></b></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">This ballot modifies the “Network and Certificate System Security Requirements” based on Version 1.4 and sections 1.6.1 and 5.1.1 through 5.1.8 of the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, based on Version 1.7.0., as follows: </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">MODIFY the Baseline Requirements as defined in the following redline: </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><a href="https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:2a255d8d159e8e4b59952ed9de272f2a72349036" style="text-decoration:none" target="_blank"><span style="font-size:12pt;font-family:Arial;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:2a255d8d159e8e4b59952ed9de272f2a72349036</span></a><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">MODIFY the Network and Certificate System Security Requirements as defined in the following redline:</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><a href="https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:2a255d8d159e8e4b59952ed9de272f2a72349036" style="text-decoration:none" target="_blank"><span style="font-size:12pt;font-family:Arial;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:2a255d8d159e8e4b59952ed9de272f2a72349036</span></a><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The Chair or Vice-Chair is permitted to update the Relevant Dates and version numbers of the Baseline Requirements and the Network and Certificate System Security Requirements to reflect these changes. </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><b><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">--- MOTION ENDS ---</span></b></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">This ballot proposes two Final Maintenance Guidelines.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The procedure for approval of this ballot is as follows:</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Discussion (7+ days)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Start Time: 2020-06-26 19:00:00 UTC</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">End Time: 2020-07-03 19:00:00 UTC</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Vote for approval (7 days)</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Start Time: TBD</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">End Time: TBD</span></p>
</div></div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div></div>
</blockquote></div></div></div>