[cabf_netsec] Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

Neil Dunbar ndunbar at trustcorsystems.com
Tue Aug 1 11:44:45 MST 2017


I’ll endorse on behalf of TrustCor

Neil

> On 1 Aug 2017, at 19:43, Ben Wilson via Netsec <netsec at cabforum.org> wrote:
> 
> I think Dimitris would be the proposer, and I would endorse.  Do we have an additional endorser for these changes?   <>
>  
> From: Netsec [mailto:netsec-bounces at cabforum.org <mailto:netsec-bounces at cabforum.org>] On Behalf Of Ben Wilson via Netsec
> Sent: Tuesday, August 1, 2017 12:41 PM
> To: Kirk Hall <Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com>>; CA/Browser Forum Network Security WG List <netsec at cabforum.org <mailto:netsec at cabforum.org>>
> Subject: Re: [cabf_netsec] Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements
>  
> Here you go.
>  
> Ben Wilson, JD, CISA, CISSP
> VP Compliance
> +1 801 701 9678
> <image001.jpg>
>  
> From: Kirk Hall [mailto:Kirk.Hall at entrustdatacard.com <mailto:Kirk.Hall at entrustdatacard.com>] 
> Sent: Tuesday, August 1, 2017 7:55 AM
> To: Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com>>; CA/Browser Forum Network Security WG List <netsec at cabforum.org <mailto:netsec at cabforum.org>>
> Subject: Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements
>  
> Is there any way that a red-line, track changes document can be provided for this pre-ballot?  It will really help our team analyze the changes.
>  
> From: Netsec [mailto:netsec-bounces at cabforum.org <mailto:netsec-bounces at cabforum.org>] On Behalf Of Ben Wilson via Netsec
> Sent: Thursday, July 27, 2017 3:45 PM
> To: CA/Browser Forum Network Security WG List <netsec at cabforum.org <mailto:netsec at cabforum.org>>
> Subject: [EXTERNAL][cabf_netsec] Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements
>  
> Based on Dimitris’ recent updates to the document on GitHub (see https://github.com/cabforum/documents/pull/64/files <https://github.com/cabforum/documents/pull/64/files> ),  I’ve created a pre-ballot that the Working Group should be able to endorse. See  https://cabforum.org/wiki/210%20-%20Misc%20Changes%20to%20NCSSR <https://cabforum.org/wiki/210%20-%20Misc%20Changes%20to%20NCSSR> (pasted below).  I don’t have the PDF ready yet, but I’ll circulate it later.
>  
> Ballot 210 - Miscellaneous Changes to the Network and Certificate System Security Requirements
> 
> The Network Security Working Group recommends that the Forum make the following minor revisions to the Network and Certificate System Security Requirements. 
> 
> --Motion Begins-- 
> 
> In the Network and Certificate System Security Requirements. 
> 
> ADD ETSI EN 319 411-1 to first sentence of the Scope and Applicability section so that it reads "These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities (CAs) and are adopted with the intent that all such CAs and Delegated Third Parties be audited for conformity with these Requirements as soon as they have been incorporated as mandatory requirements (if not already mandatory requirements) in the root embedding program for any major Internet browsing client and that they be incorporated into the WebTrust <https://cabforum.org/wiki/WebTrust> Service Principles and Criteria for Certification Authorities, ETSI TS 101 456, ETSI TS 102 042 and ETSI EN 319 411-1 including revisions and implementations thereof, including any audit scheme that purports to determine conformity therewith." 
> 
> REPLACE section 1.a. with "a. Segment Certificate Systems into networks based on their functional or logical relationship, for example separate physical networks or VLANs;" 
> 
> REPLACE section 1.b. with "b. Apply equivalent security controls to all systems co-located in the same network with a Certificate System;" 
> 
> REPLACE "90 days" with "three (3) months" in section 2.g.ii. and 2.j so that they read "ii. For accounts that are accessible from outside a Secure Zone or High Security Zone, require that passwords have at least eight (8) characters, be changed at least every three (3) months, use a combination of at least numeric and alphabetic characters, that are not a dictionary word or on a list of previously disclosed human-generated passwords, and not be one of the user's previous four (4) passwords; and implement account lockout for failed access attempts in accordance with subsection k; OR"   AND   "j. Review all system accounts at least every three (3) months and deactivate any accounts that are no longer necessary for operations;" 
> 
> REPLACE section 2.m. with "m. Enforce multi-factor / multi-party authentication for administrator access to Issuing Systems and Certificate Management Systems;" 
> 
> REPLACE section 2.o. with "o. Restrict remote administration or access to an Issuing System, Certificate Management System, or Security Support System except when: (i) the remote connection originates from a device owned or controlled by the CA or Delegated Third Party, (ii) the remote connection is through a temporary, non-persistent encrypted channel that is supported by multi-factor authentication, and (iii) the remote connection is made to a designated intermediary device (a) located within the CA’s network, (b) secured in accordance with these Requirements, and (c) that mediates the remote connection to the Issuing System." 
> 
> REPLACE "every 30 days and" with "once a month to" in section 3.e. so that it reads "e. Conduct a human review of application and system logs at least once a month to validate the integrity of logging processes and ensure that monitoring, logging, alerting, and log-integrity-verification functions are operating properly (the CA or Delegated Third Party MAY use an in-house or third-party audit log reduction and analysis tool); and" 
> 
> REPLACE 4.a. with "a. Implement intrusion detection and prevention controls under the control of CA or Delegated Third Party Trusted Roles to protect Certificate Systems against common network and system threats;" 
> 
> REPLACE 4.C. with "c. Undergo or perform a Vulnerability Scan (i) within one (1) week of receiving a request from the CA/Browser Forum, (ii) after any system or network changes that the CA determines are significant, and (iii) at least every three (3) months, on public and private IP addresses identified by the CA or Delegated Third Party as the CA’s or Delegated Third Party’s Certificate Systems;" 
> 
> REPLACE the definition of Security Support System in the Definitions with "Security Support System: A system used to provide security support functions, which MAY include authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and intrusion detection (Host-based intrusion detection / Network-based intrusion detection)." 
> 
> Make other editorial changes as indicated at https://github.com/cabforum/documents/pull/64/files <https://github.com/cabforum/documents/pull/64/files> and in the attached PDF. 
> 
> --Motion Ends-- 
> 
>  
>  
>  
>  
>  
> Ben Wilson, JD, CISA, CISSP
> VP Compliance
> +1 801 701 9678
> <image003.jpg>
>  
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org <mailto:Netsec at cabforum.org>
> http://cabforum.org/mailman/listinfo/netsec <http://cabforum.org/mailman/listinfo/netsec>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170801/c5337f30/attachment-0001.html>


More information about the Netsec mailing list