<div dir="ltr">Hi Ben,<div><br></div><div>Can you share the risk analysis the NetSec Subcommitee is using to inform this suggestion? I feel like we've gone in circles on this point, and run the risk of continuing to do so, but it seems that we can best make progress here by having a better understanding, and seeing if there is consensus in, "these are the things that we're worried about preventing, and these are the things prevented that we think should be allowed"</div><div><br></div><div>The change of definition in such a core concept obviously has profound security impact - potentially hugely positively, or potentially hugely negative. I'm assuming that such an analysis has already been done, and was hoping you could share that result.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 14, 2021 at 4:55 PM Ben Wilson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><font size="2"><span style="font-family:arial,sans-serif">All,</span></font></div><div><font size="2"><span style="font-family:arial,sans-serif"><br></span></font></div><div><font size="2"><span style="font-family:arial,sans-serif">Today in the NetSec subgroup we discussed use of the term "zone" in the NCSSRs. Previous efforts on this topic have included an abandoned Ballot SC32 (see e.g. <a href="https://lists.cabforum.org/pipermail/servercert-wg/2020-June/002033.html" target="_blank">https://lists.cabforum.org/pipermail/servercert-wg/2020-June/002033.html</a>), and other drafts in which we have explored the differentiation between logical security and physical security. <br></span></font></div><div><font size="2"><span style="font-family:arial,sans-serif"><br></span></font></div><div><font size="2"><span style="font-family:arial,sans-serif">The NetSec subgroup is again working on the "zones" language and efforts to delineate the two concepts (logical and physical), but first we want <font size="2"><span style="font-family:arial,sans-serif">to <span>see where we might have disagreement</span></span></font>,
<font size="2"><span style="font-family:arial,sans-serif"><font size="2"><span style="font-family:arial,sans-serif"><span>gaps in understanding, or lack of </span></span></font></span></font>clarity on the issues and concerns<span>. Thus, the</span><span> NetSec subgroup is considering proposing the following as a replacement to section 1.e of the NCSSRs - <br></span></span></font></div><div><font size="2"><span style="font-family:arial,sans-serif"><span><br></span></span></font></div><div style="margin-left:40px"><font size="2"><span style="font-family:arial,sans-serif"><span>"Implement and
configure Security Support Systems that protect communications between Certificate
Systems and non‐Certificate Systems (i.e.
<span>public<span style="letter-spacing:-0.25pt"> </span>networks</span>
and organizational business
units that do not provide PKI‐related services<span style="letter-spacing:-2.85pt"><span></span></span>);"</span></span></font></div><div><font size="2"><span style="font-family:arial,sans-serif"><span><br></span></span></font></div>
<p class="MsoNormal" style="line-height:normal;margin:0in 0in 8pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:Arial,sans-serif">For additional reference, the definition of “Security
Support System” would be slightly amended to read, “A system used to provide physical or
logical security support functions, which MAY include authentication, network
boundary control, audit logging, audit log reduction and analysis,
vulnerability scanning, and intrusion detection (physical intrusion detection,
Host</span><span style="font-size:10pt;font-family:"Cambria Math",serif">‐</span><span style="font-size:10pt;font-family:Arial,sans-serif">based intrusion detection, or Network</span><span style="font-size:10pt;font-family:"Cambria Math",serif">‐</span><span style="font-size:10pt;font-family:Arial,sans-serif">based intrusion detection).” <br></span></p><div><font size="2"><span style="font-family:arial,sans-serif"><span>And, for comparison, the current language in section 1.e is, "<span style="line-height:107%">Implement
and configure Security Support Systems that protect systems and communications
between systems inside Secure Zones and High Security Zones, and communications
with non‐Certificate Systems outside those zones (including those with
organizational business units that do not provide PKI‐related services) and
those on public networks;</span>".</span></span></font></div><br><div><font size="2"><span style="font-family:arial,sans-serif"><span>With your input, we can move forward with looking at other places in the NCSSRs where logical and physical security are not distinguished and where the term "zone" is used.</span></span></font></div><div><br></div><div>
<div><font size="2"><span style="font-family:arial,sans-serif"><span>Thanks in advance. </span></span></font></div>
<font size="2"><span style="font-family:arial,sans-serif"><span></span></span></font></div><div><font size="2"><span style="font-family:arial,sans-serif"><span><br></span></span></font></div><div><font size="2"><span style="font-family:arial,sans-serif"><span>Ben<br>
</span></span></font></div><div><p class="MsoNormal" style="margin:0in 11.5pt 8pt 0in;line-height:normal"><font size="2"><span style="font-family:arial,sans-serif"><span><br></span></span></font></p><p class="MsoNormal" style="margin:0in 11.5pt 8pt 0in;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:12pt"><font size="2"><br></font><span></span></span></p>
</div></div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div>