[cabf_netsec] [EXTERNAL]Re: FW: Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

Thu Aug 3 10:15:42 MST 2017

Moudrick – the point of Pat’s suggestion below is mainly to have the NetSec requirements differentiate between offline roots from online roots / subroots that are issuing end-entity certificates.  It makes little sense, for example, to have to power-up an offline root every week to “review its configuration”, or power-up to change a password then power down again, etc.  We will leave it to the NetSec WG to figure out the best way to do this and best language to do, but that is the general direction.

Thanks.

From: Moudrick M. Dadashov [mailto:md at ssc.lt]
Sent: Wednesday, August 2, 2017 4:08 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum Network Security WG List <netsec at cabforum.org>
Cc: Patrick Milot <Patrick.Milot at entrustdatacard.com>
Subject: [EXTERNAL]Re: [cabf_netsec] FW: Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

Why is "An offline system used to create a Root Certificate" is so important here?

The same question goes for "...to generate the Private Key associated with a Root Certificate"?

Thanks,
M.D.
On 8/3/2017 1:47 AM, Kirk Hall via Netsec wrote:
WG members – Pat Milot of Entrust wants to suggest the following definition changes to the NetSec Requirements shown below.  He is joining the WG, along with Rick Agarwala, but Pat can’t be on the next call.

Can you add to the list of suggestions for change?  Thanks.

Kirk

From: Patrick Milot
Sent: Wednesday, August 2, 2017 6:54 AM
Subject: RE: Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

Hi Kirk,

I was thinking about this some more last night and can we suggest more changes.  I would like to make the Root CA and Issuing CA definition crystal clear that the NetSec rules for Root CA Systems apply only to Roots that are maintained offline.  Likewise, the NetSec rules that apply to Issuing Systems will only apply to roots that are used to sign end entity certs or validity status information.  See suggestions.

Root CA System: An offline system used to create a Root Certificate or to generate, store, or sign with the Private Key associated with a Root Certificate.  Root CA System is a unique category of system and is not considered to be an Issuing System or part of an Issuing System.

Issuing System: A system used to sign end entity certificates or validity status information.

The goal would be to address current ridiculous requirements for offline roots under the NetSec requirements.  The end result of these changes would be that if it is clear that Root CA is its own unique category of systems, then the only requirement from the NetSec that would apply to Roots would be for them to be air gapped and offline.

For example, this requirement:

Review configurations of Issuing Systems, Certificate Management Systems, Security Support Systems, and Front‐End / Internal‐Support Systems on at least a weekly basis to determine whether any changes violated the CA’s security policies;

… would then NOT apply to offline roots – having to audit an offline system that is powered off and is on isolated networks every week makes no sense.

I’m providing this wording as an example to the Net Sec WG, but feel free to suggest something else.

Pat

_______________________________________________

Netsec mailing list

Netsec at cabforum.org<mailto:Netsec at cabforum.org>

http://cabforum.org/mailman/listinfo/netsec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170803/2432e775/attachment.html>