[cabf_netsec] Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

Dimitris Zacharopoulos jimmy at it.auth.gr
Thu Aug 3 09:10:41 MST 2017 

On 1/8/2017 10:48 μμ, Kirk Hall via Netsec wrote:
>
> Can the three sponsors of the ballot make a clarifying change before 
> sending to the full Forum?  (We support “or” instead of a “/”).
>

Happy to use "OR" instead of "/". If nobody objects, I will add this 
change to the proposed github pull request and Ben can update the ballot 
language.

So, we have Digicert, HARICA and TrustCor to proceed with the ballot.


Dimitris.

> *From:* Ben Wilson [mailto:ben.wilson at digicert.com]
> *Sent:* Tuesday, August 1, 2017 12:01 PM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum 
> Network Security WG List <netsec at cabforum.org>
> *Subject:* [EXTERNAL]RE: Pre-Ballot 210 - Misc. Changes to the Network 
> and Certificate System Security Requirements
>
> I think it is meant as an   "or".
>
> ------------------------------------------------------------------------
>
> *From: *Kirk Hall <mailto:Kirk.Hall at entrustdatacard.com>
> *Sent: *‎8/‎1/‎2017 12:51 PM
> *To: *Ben Wilson <mailto:ben.wilson at digicert.com>; CA/Browser Forum 
> Network Security WG List <mailto:netsec at cabforum.org>
> *Subject: *RE: Pre-Ballot 210 - Misc. Changes to the Network and 
> Certificate System Security Requirements
>
> Ben, one question on this change:
>
> Enforce multi‐factor / multi‐party authentication for administrator 
> access to Issuing Systems and Certificate Management Systems;
>
> Is that meant to require BOTH multi-factor AND multi-party 
> authentication?  Or is it meant to require EITHER one or the other (or 
> both), at the CA’s option?
>
> If the latter, maybe change “/” to “and/or”…
>
> *From:* Ben Wilson [mailto:ben.wilson at digicert.com]
> *Sent:* Tuesday, August 1, 2017 11:41 AM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com 
> <mailto:Kirk.Hall at entrustdatacard.com>>; CA/Browser Forum Network 
> Security WG List <netsec at cabforum.org <mailto:netsec at cabforum.org>>
> *Subject:* [EXTERNAL]RE: Pre-Ballot 210 - Misc. Changes to the Network 
> and Certificate System Security Requirements
>
> Here you go.
>
> *Ben Wilson, JD, CISA, CISSP*
>
> VP Compliance
>
> +1 801 701 9678
>
> *From:* Kirk Hall [mailto:Kirk.Hall at entrustdatacard.com]
> *Sent:* Tuesday, August 1, 2017 7:55 AM
> *To:* Ben Wilson <ben.wilson at digicert.com 
> <mailto:ben.wilson at digicert.com>>; CA/Browser Forum Network Security 
> WG List <netsec at cabforum.org <mailto:netsec at cabforum.org>>
> *Subject:* Pre-Ballot 210 - Misc. Changes to the Network and 
> Certificate System Security Requirements
>
> Is there any way that a red-line, track changes document can be 
> provided for this pre-ballot?  It will really help our team analyze 
> the changes.
>
> *From:* Netsec [mailto:netsec-bounces at cabforum.org] *On Behalf Of *Ben 
> Wilson via Netsec
> *Sent:* Thursday, July 27, 2017 3:45 PM
> *To:* CA/Browser Forum Network Security WG List <netsec at cabforum.org 
> <mailto:netsec at cabforum.org>>
> *Subject:* [EXTERNAL][cabf_netsec] Pre-Ballot 210 - Misc. Changes to 
> the Network and Certificate System Security Requirements
>
> Based on Dimitris’ recent updates to the document on GitHub (see 
> https://github.com/cabforum/documents/pull/64/files ),  I’ve created a 
> pre-ballot that the Working Group should be able to endorse. See 
> https://cabforum.org/wiki/210%20-%20Misc%20Changes%20to%20NCSSR 
> (pasted below).  I don’t have the PDF ready yet, but I’ll circulate it 
> later.
>
> *Ballot 210 - Miscellaneous Changes to the Network and Certificate 
> System Security Requirements*
>
> The Network Security Working Group recommends that the Forum make the 
> following minor revisions to the Network and Certificate System 
> Security Requirements.
>
> --Motion Begins--
>
> In the Network and Certificate System Security Requirements.
>
> ADD ETSI EN 319 411-1 to first sentence of the Scope and Applicability 
> section so that it reads "These Network and Certificate System 
> Security Requirements (Requirements) apply to all publicly trusted 
> Certification Authorities (CAs) and are adopted with the intent that 
> all such CAs and Delegated Third Parties be audited for conformity 
> with these Requirements as soon as they have been incorporated as 
> mandatory requirements (if not already mandatory requirements) in the 
> root embedding program for any major Internet browsing client and that 
> they be incorporated into the WebTrust 
> <https://cabforum.org/wiki/WebTrust> Service Principles and Criteria 
> for Certification Authorities, ETSI TS 101 456, ETSI TS 102 042 and 
> ETSI EN 319 411-1 including revisions and implementations thereof, 
> including any audit scheme that purports to determine conformity 
> therewith."
>
> REPLACE section 1.a. with "a. Segment Certificate Systems into 
> networks based on their functional or logical relationship, for 
> example separate physical networks or VLANs;"
>
> REPLACE section 1.b. with "b. Apply equivalent security controls to 
> all systems co-located in the same network with a Certificate System;"
>
> REPLACE "90 days" with "three (3) months" in section 2.g.ii. and 2.j 
> so that they read "ii. For accounts that are accessible from outside a 
> Secure Zone or High Security Zone, require that passwords have at 
> least eight (8) characters, be changed at least every three (3) 
> months, use a combination of at least numeric and alphabetic 
> characters, that are not a dictionary word or on a list of previously 
> disclosed human-generated passwords, and not be one of the user's 
> previous four (4) passwords; and implement account lockout for failed 
> access attempts in accordance with subsection k; OR"   AND   "j. 
> Review all system accounts at least every three (3) months and 
> deactivate any accounts that are no longer necessary for operations;"
>
> REPLACE section 2.m. with "m. Enforce multi-factor / multi-party 
> authentication for administrator access to Issuing Systems and 
> Certificate Management Systems;"
>
> REPLACE section 2.o. with "o. Restrict remote administration or access 
> to an Issuing System, Certificate Management System, or Security 
> Support System except when: (i) the remote connection originates from 
> a device owned or controlled by the CA or Delegated Third Party, (ii) 
> the remote connection is through a temporary, non-persistent encrypted 
> channel that is supported by multi-factor authentication, and (iii) 
> the remote connection is made to a designated intermediary device (a) 
> located within the CA’s network, (b) secured in accordance with these 
> Requirements, and (c) that mediates the remote connection to the 
> Issuing System."
>
> REPLACE "every 30 days and" with "once a month to" in section 3.e. so 
> that it reads "e. Conduct a human review of application and system 
> logs at least once a month to validate the integrity of logging 
> processes and ensure that monitoring, logging, alerting, and 
> log-integrity-verification functions are operating properly (the CA or 
> Delegated Third Party MAY use an in-house or third-party audit log 
> reduction and analysis tool); and"
>
> REPLACE 4.a. with "a. Implement intrusion detection and prevention 
> controls under the control of CA or Delegated Third Party Trusted 
> Roles to protect Certificate Systems against common network and system 
> threats;"
>
> REPLACE 4.C. with "c. Undergo or perform a Vulnerability Scan (i) 
> within one (1) week of receiving a request from the CA/Browser Forum, 
> (ii) after any system or network changes that the CA determines are 
> significant, and (iii) at least every three (3) months, on public and 
> private IP addresses identified by the CA or Delegated Third Party as 
> the CA’s or Delegated Third Party’s Certificate Systems;"
>
> REPLACE the definition of Security Support System in the Definitions 
> with "Security Support System: A system used to provide security 
> support functions, which MAY include authentication, network boundary 
> control, audit logging, audit log reduction and analysis, 
> vulnerability scanning, and intrusion detection (Host-based intrusion 
> detection / Network-based intrusion detection)."
>
> Make other editorial changes as indicated at 
> https://github.com/cabforum/documents/pull/64/files and in the 
> attached PDF.
>
> --Motion Ends--
>
> *Ben Wilson, JD, CISA, CISSP*
>
> VP Compliance
>
> +1 801 701 9678
>
>
>
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170803/75429902/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3283 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20170803/75429902/attachment-0002.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3117 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20170803/75429902/attachment-0003.jpe>

More information about the Netsec mailing list