<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe Script";
panose-1:3 11 5 4 2 0 0 0 0 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Georgia",serif;
color:windowtext;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1553662555;
mso-list-type:hybrid;
mso-list-template-ids:629063380 67698703 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:2044012653;
mso-list-type:hybrid;
mso-list-template-ids:533864272 -1532468202 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman \(Body CS\)";}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-family:"Georgia",serif'>Of those, the first definition (server + direct-attached HSM) seems not to be blocked by the definition, if we’re including both the server and its HSM as one “CA system”. (That is, the “CA system” consists of one server plus HSM.) The language might need tweaking to specifically allow that and under what circumstances (for example, the HSM must be directly connected via dedicated cable). Considering the two as a pair would seem to also eliminate any possibility of trying to have an online server but an “offline” HSM, too: all parts of the CA required to perform issuance tasks must either be considered online or offline.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'>The second one would arguably be problematic, yes. Just off the cuff, I’ve seen at least these three configurations in various (non-BR-involved!) contexts:<o:p></o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo2'><span style='font-family:"Georgia",serif'>I have a single offline server-plus-HSM pair that is capable of operating CAs foo, bar, baz, and quux. The keys for all four CAs are stored offline in the HSM, but I only activate and utilize one CA at a time, enforced by the hardware activation mechanisms of the HSM. (Thus, if I am busy performing operations on CA foo, it is not possible to perform any PKI operations on CA quux, and so forth.) All four CAs are physically isolated from the outside, and are also isolated from each other in the HSM, but there is a common set of OS and CA files in use.<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo2'><span style='font-family:"Georgia",serif'>I have a single offline server-plus-HSM set with a common OS, but all of the files for the CA are kept on a removable disk and checked into a safe when not in use, while the keys are only stored in any form in the HSM when the CA is in use and then wiped after. Now the isolation is stronger thanks to unique CA files as well as HSM isolation, but you still have a shared OS platform. (And you could extend this model further to a diskless system in which I simply insert the disks for each CA, to create complete system-level isolation for each one, just on a common hardware platform.) <o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0in;mso-list:l0 level1 lfo2'><span style='font-family:"Georgia",serif'>I have four offline CAs, each of which have their own server, but which share a common network-based HSM. The whole environment is physically air-gapped from any outside connections and the CAs are logically isolated, but each has network access to a common HSM (perhaps via a common “dumb” switch). The whole ecosystem thus exists in a physically air-gapped bubble, but the isolation of the CA <i>servers</i> from each other becomes a matter of logical protections rather than physical.<o:p></o:p></span></li></ol><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'>All of these are things that people will commonly refer to as an “offline CA”, but there are definitely shades of grey when it comes to how much real isolation is occurring. Which of those we want to permit or not permit would be the question.<o:p></o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:9.0pt;font-family:Consolas;color:black'>-- <br>Jos Purvis (</span><a href="mailto:jopurvis@cisco.com"><span style='font-size:9.0pt;font-family:Consolas;color:#954F72'>jopurvis@cisco.com</span></a><span style='font-size:9.0pt;font-family:Consolas;color:black'>)<br>.:|:.:|:. cisco systems | Cryptographic Services<br>PGP: 0xFD802FEE07D19105 | Controls and Trust Verification</span><o:p></o:p></p></div><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Georgia",serif'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Servercert-wg <servercert-wg-bounces@cabforum.org> on behalf of CABF Server Cert WG <servercert-wg@cabforum.org><br><b>Reply-To: </b>Wendy Brown - QT3LB-C <wendy.brown@gsa.gov>, CABF Server Cert WG <servercert-wg@cabforum.org><br><b>Date: </b>Monday, March 8, 2021 at 12:44 PM<br><b>To: </b>Ryan Sleevi <sleevi@google.com><br><b>Cc: </b>CABF Server Cert WG <servercert-wg@cabforum.org><br><b>Subject: </b>Re: [Servercert-wg] Ballot SC40v3: Security Requirements for Air-Gapped CA Systems<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>no - I am suggesting in both cases these configurations are for offline CAs but seem to contradict the first clause of the proposed definition: <span style='font-size:12.0pt;font-family:"Times New Roman",serif;color:black'>A system that is (a) physically and logically separated from all other CA systems</span><o:p></o:p></p><div><p class=MsoNormal>1) an OFFLINE & Air-gapped CA that uses a network HSM - BOTH the CA server & the HSM are only connected to each other and both powered off, except when needed to be powered on to do some function like sign or revoke a cert or issue a CRL<o:p></o:p></p></div><div><p class=MsoNormal>or <o:p></o:p></p></div><div><p class=MsoNormal>2) again hardware dedicated only to the operation of OFFLINE & Air-gapped CAs, but potentially hosting multiple offline/Air-gapped CAs on the same hardware, operated by the same trusted roles - not co-mingling with anything considered online or connected to any supporting systems that have to be online<br clear=all><o:p></o:p></p><div><div><div><div><div><div><div><div><div><div><div><p><span style='font-family:"Segoe Script"'>Wendy</span><o:p></o:p></p><p><span style='font-size:9.5pt'>Wendy Brown<br>Supporting GSA FPKI<br>Protiviti Government Services</span><o:p></o:p></p><p> 703-965-2990 (cell)<o:p></o:p></p><p><a href="mailto:wendy.brown@gsa.gov" target="_blank"><span style='font-size:9.5pt'>wendy.brown@gsa.gov</span></a><br><a href="mailto:wendy.brown@protiviti.com" target="_blank">wendy.brown@protiviti.com</a><o:p></o:p></p></div></div></div></div></div></div></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Mon, Mar 8, 2021 at 12:19 PM Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Mon, Mar 8, 2021 at 9:07 AM Wendy Brown - QT3LB-C via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal>I'm not sure I agree with the first clause of the definition: <span style='font-size:12.0pt;font-family:"Times New Roman",serif;color:black'>A system that is (a) physically and logically separated from all other CA systems</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;color:black'>f</span>or 2 reasons: <o:p></o:p></p></div><div><p class=MsoNormal>1) if the CA uses an HSM server, it should be able to be connected to the HSM when turned on as long as the HSM is powered off when the CA is and not connected to any other systems<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>When would this scenario be used? It seems somewhat dangerous - for example, if the CA system is considered online, but the HSM considered offline (even though physically connected, simply powered off), it seems like there's new threat models to consider (e.g. if the CA system can send a WoL packet to wake up the HSM system). So I'm trying to understand a bit more about what scenario this would be useful for, since it sounds like there's concern that the proposed language would prevent that scenario, to figure out how to resolve that.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal>2) Why would it not be reasonable to have the same hardware host VMs for multiple offline CAs all operated by the same trusted roles? Or some CA software can support multiple CAs (such as Red Hat, Unicert, and PrimeKey/EJBCA). Multiple CAs running on the same platform, that is offline, should be considered offline, even though they are not physically separate from each other.<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm not sure I understand this second point. Are you suggesting that a CA running on such a system could have one CA configuration offline, and another CA configuration online? Or one CA configuration that is considered airgapped running on the same machine/software as another CA configuration that is not?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Neither of those sound like good things to me, and I don't think it'd be what you'd be suggesting. I *think* in such scenarios we want the same outcome: namely, if you bring such a system online (whether a device with multiple VMs or a server instance with multiple CAs), the point at which <b>one</b> is online should be considered the point in which <b>all</b> are online, and the same obligations occur regarding configuration state expectations. Is that a correct understanding?<o:p></o:p></p></div></div></div></blockquote></div></div></body></html>