[cabf_netsec] FW: Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Aug 2 15:47:12 MST 2017


WG members – Pat Milot of Entrust wants to suggest the following definition changes to the NetSec Requirements shown below.  He is joining the WG, along with Rick Agarwala, but Pat can’t be on the next call.

Can you add to the list of suggestions for change?  Thanks.

Kirk

From: Patrick Milot
Sent: Wednesday, August 2, 2017 6:54 AM
Subject: RE: Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

Hi Kirk,

I was thinking about this some more last night and can we suggest more changes.  I would like to make the Root CA and Issuing CA definition crystal clear that the NetSec rules for Root CA Systems apply only to Roots that are maintained offline.  Likewise, the NetSec rules that apply to Issuing Systems will only apply to roots that are used to sign end entity certs or validity status information.  See suggestions.

Root CA System: An offline system used to create a Root Certificate or to generate, store, or sign with the Private Key associated with a Root Certificate.  Root CA System is a unique category of system and is not considered to be an Issuing System or part of an Issuing System.

Issuing System: A system used to sign end entity certificates or validity status information.

The goal would be to address current ridiculous requirements for offline roots under the NetSec requirements.  The end result of these changes would be that if it is clear that Root CA is its own unique category of systems, then the only requirement from the NetSec that would apply to Roots would be for them to be air gapped and offline.

For example, this requirement:

Review configurations of Issuing Systems, Certificate Management Systems, Security Support Systems, and Front‐End / Internal‐Support Systems on at least a weekly basis to determine whether any changes violated the CA’s security policies;

… would then NOT apply to offline roots – having to audit an offline system that is powered off and is on isolated networks every week makes no sense.

I’m providing this wording as an example to the Net Sec WG, but feel free to suggest something else.

Pat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170802/34d1e59c/attachment.html>


More information about the Netsec mailing list