[cabf_netsec] [EXTERNAL]Re: FW: Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

Moudrick M. Dadashov md at ssc.lt
Thu Aug 3 12:36:30 MST 2017 

Thanks, Kirk.

I was trying to separate IMO two different things:

1) the preparation of the Root (which falls under the Root key ceremony 
related activities?);
2) the actual operation of the Root key material and certificate.

Thanks,
M.D.

On 8/3/2017 8:15 PM, Kirk Hall wrote:
>
> Moudrick – the point of Pat’s suggestion below is mainly to have the 
> NetSec requirements differentiate between offline roots from online 
> roots / subroots that are issuing end-entity certificates. It makes 
> little sense, for example, to have to power-up an offline root every 
> week to “review its configuration”, or power-up to change a password 
> then power down again, etc. We will leave it to the NetSec WG to 
> figure out the best way to do this and best language to do, but that 
> is the general direction.
>
> Thanks.
>
> *From:*Moudrick M. Dadashov [mailto:md at ssc.lt]
> *Sent:* Wednesday, August 2, 2017 4:08 PM
> *To:* Kirk Hall <Kirk.Hall at entrustdatacard.com>; CA/Browser Forum 
> Network Security WG List <netsec at cabforum.org>
> *Cc:* Patrick Milot <Patrick.Milot at entrustdatacard.com>
> *Subject:* [EXTERNAL]Re: [cabf_netsec] FW: Pre-Ballot 210 - Misc. 
> Changes to the Network and Certificate System Security Requirements
>
> Why is "A*_n offline_*system used to create a Root Certificate" is so 
> important here?
>
> The same question goes for "...to generate thePrivate Key associated 
> with a Root Certificate"?
>
> Thanks,
> M.D.
>
> On 8/3/2017 1:47 AM, Kirk Hall via Netsec wrote:
>
>     WG members – Pat Milot of Entrust wants to suggest the following
>     definition changes to the NetSec Requirements shown below.  He is
>     joining the WG, along with Rick Agarwala, but Pat can’t be on the
>     next call.
>
>     Can you add to the list of suggestions for change?  Thanks.
>
>     Kirk
>
>     *From:* Patrick Milot
>     *Sent:* Wednesday, August 2, 2017 6:54 AM
>     *Subject:* RE: Pre-Ballot 210 - Misc. Changes to the Network and
>     Certificate System Security Requirements
>
>     Hi Kirk,
>
>     I was thinking about this some more last night and can we suggest
>     more changes.  I would like to make the Root CA and Issuing CA
>     definition crystal clear that the NetSec rules for Root CA Systems
>     apply only to Roots that are maintained offline.  Likewise, the
>     NetSec rules that apply to Issuing Systems will only apply to
>     roots that are used to sign end entity certs or validity status
>     information.  See suggestions.
>
>     *Root CA System: *A*_n offline_*system used to create a Root
>     Certificate or to generate, store, or sign with thePrivate Key
>     associated with a Root Certificate. *_Root CA System is a unique
>     category of system and is not considered to be an Issuing System
>     or part of an _**_Issuing System_**_._*
>
>     *Issuing System: *A system used to sign*_end entity_* certificates
>     or validity status information.
>
>     The goal would be to address current ridiculous requirements for
>     offline roots under the NetSec requirements.  The end result of
>     these changes would be that if it is clear that Root CA is its own
>     unique category of systems, then the only requirement from the
>     NetSec that would apply to Roots would be for them to be air
>     gapped and offline.
>
>     For example, this requirement:
>
>     **
>
>     Review configurations of Issuing Systems, Certificate Management
>     Systems, SecuritySupport Systems, and Front‐End / Internal‐Support
>     Systems on at least a weekly basis todetermine whether any changes
>     violated the CA’s security policies;
>
>     … would then NOT apply to offline roots – having to audit an
>     offline system that is powered off and is on isolated networks
>     every week makes no sense.
>
>     I’m providing this wording as an example to the Net Sec WG, but
>     feel free to suggest something else.
>
>     Pat
>
>
>
>
>     _______________________________________________
>
>     Netsec mailing list
>
>     Netsec at cabforum.org <mailto:Netsec at cabforum.org>
>
>     http://cabforum.org/mailman/listinfo/netsec
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170803/21fe7b25/attachment.html>

More information about the Netsec mailing list