<div dir="ltr">Greetings SCWG,<div><br></div><div>Over in the NetSec Subcommittee we're
working to finish a risk assessment to use as a basis for further work
on the NCSSRs. To communicate the approach we're taking and solicit
feedback from the larger working group, I'm sharing below the
methodology we've agreed on and started to implement. There is a great
deal of prior work over the last few years we'll be pulling in with this
effort to get over the finish line.</div><div><br></div><div>Feedback and comments are welcome.<div><span id="gmail-m_2580054417619479819gmail-docs-internal-guid-a6aa658b-7fff-85a3-ad02-1f451ee8ceef"><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Background</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The Network Security Subcommittee was chartered with the following purpose:</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:10pt;font-family:Arial;color:rgb(51,51,51);font-style:italic;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The Network Security Subcommittee shall propose ballots to the SCWG to improve the minimal security standards within the mission defined above. This includes modifying the existing Network and Certificate System Security Requirements (NCSSR) or to create new requirements, guidelines, or best practices. Among other activities, the Network Security Subcommittee shall perform security analysis on typical CA Management Systems offering options to the Server Certificate Working Group for establishing minimal security standards. Risk analysis will also be used to provide a better understanding of threats and vulnerabilities in Certificate Management Systems. This process can be used to provide better reasoning and justification of existing or future security guidelines.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The mandate to improve the NCSSR is firmly rooted in an expectation that a risk assessment specific to Certificate Management Systems be produced and used to guide improvement proposals. Several steps have been taken on this path, but we do not yet have an accepted risk assessment. </span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Objective</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">This document will define the methodology to be used and the expected deliverables at the end of the risk assessment process. We will follow the general approach outlined in NIST SP 800-30r1, 800-37 and 800-39.</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Purpose</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The purpose of this risk assessment is to evaluate in sufficient detail the risks faced by public CAs to guide improvement of the NCSSR. The resulting product will be a critical tool for the subcommittee and others to use in proposing appropriate mitigations.</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Scope</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">To maintain focus on the NCSSR and the mission of the subcommittee, the risk assessment will primarily focus on risks at the information systems tier (tier 3) and with some items from business processes (tier 2) and little focus on organizational issues (tier 1). The assessment will approach this in a generalized way to be as applicable to all CA Management Systems as possible. </span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Assumptions and Constraints</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">This assessment will include threat sources, threat events, vulnerabilities and impacts that have caused serious issues for CAs or other high security organizations in the past or are likely to in the future. Likelihood will be evaluated within the space of a year.</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Sources</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Threat, vulnerability and impact information will be drawn from industry sources such as incident reports, general technical security reports, the experience of participants in the risk assessment and the documents previously generated by this group such as </span><a href="https://docs.google.com/spreadsheets/d/1X3tLarx42JBEa6faaL9qgAaUPKYuaEeD/e" style="text-decoration-line:none" target="_blank"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">Root CA System Threat Analysis2.xlsx</span></a><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap"> and </span><a href="https://docs.google.com/document/d/1nHpYpTFhYlSJoweOu3xH1XuJG9h5OpxdApnYWuhd8RY/" style="text-decoration-line:none" target="_blank"><span style="font-size:11pt;font-family:Arial;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;text-decoration-line:underline;vertical-align:baseline;white-space:pre-wrap">Threat Modeling per Use Case/Story</span></a><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">.</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Approach</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">We will take a threat-oriented approach, meaning that in our generated table, threat sources will occupy the left-most column and threat events, assets, vulnerabilities, likelihoods and impacts will follow to the right. The reason for this ordering over an asset- or impact-oriented approach is that a threat source-threat event-vulnerability combination will often have similar details on multiple assets, so the completed table may be more compact and easier to make use of.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">We will take a qualitative approach to recording values such as likelihood and impact, as these will be most useful and are more honest in recognizing the vagaries and variability of doing the analysis at this level and distance from any particular CA Management System. </span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Our evaluations will be fairly risk intolerant due to the sensitive and very high trust nature of CA systems. At this point in time we will prepare the risk assessment without evaluating current NCSSR expectations or mitigating controls.</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Conducting the Risk Assessment</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Following the methodology outlined above, we will generate a table. The rows will capture a threat source, threat event, asset, vulnerability, likelihood and impact. As necessary for clarity and completeness, a threat source may be repeated multiple times. Once all combinations of these columns have been exhausted and evaluated, the risk assessment will be reviewed by the subcommittee and then shared with the SCWG.</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Further Work</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">An immediate follow-on to this work should be the full mapping of the risk assessment to existing mitigations and controls in the NCSSR. Additionally, we should do a similar mapping against other regulatory frameworks we are considering to replace components of the NCSSR and guide us in creating a WebPKI-specific overlay to complement the framework.</span></p></span></div></div><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><p style="margin:10px 0px 0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px"><span style="display:inline-block;max-width:100%"><img src="http://www.fastly.com/img/sig.png" style="margin:0px 2px;padding:0px;border:0px;display:block"></span><strong><br></strong></p><div style="margin:0px;padding:0px;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px"><div style="margin:0px;padding:0px"><div style="margin:0px;padding:0px"><strong>Daniel Jeffery</strong> | TLS</div><div style="margin:0px;padding:0px"><a href="http://fastly.com/" rel="nofollow" style="color:rgb(59,115,175)" target="_blank">fastly.com</a> | <a href="https://twitter.com/fastly" rel="nofollow" style="color:rgb(59,115,175)" target="_blank">@fastly</a> | <a href="http://www.linkedin.com/company/fastly" rel="nofollow" style="color:rgb(59,115,175)" target="_blank">LinkedIn</a></div></div></div></div></div></div>