[cabf_netsec] Netsec Digest, Vol 3, Issue 15

Chris Salter chris at achievablesecurity.com
Mon Aug 21 08:03:18 MST 2017 

I kept a few high level notes when the discussion veered toward putting a
CA into the cloud.

Several minutes were spent considering how the current requirements cannot
handle a cloud based CA. That begged the question "is it possible to have a
cloud based CA?" The first response was no, you have to have physical
control of your environment. Amazon and Google aren't cloud based because
they operate their own facilities.

Further discussion led to the observation that there is already tremendous
trust placed in 3rd party products even when you do maintain physical
control of your spaces. The group concluded that that it is fair to
consider outsourcing some parts of a CA operation to a cloud provider if
the right SLA is in place for data separation.

The conversation naturally then turned to the use of hypervisors in a CA
architecture. This issue is particularly intriguing. Most virtualization
vendors shy away from strong security claims.  For instance, does any
vendor claim running two VMs on a VMM has security equivalent to running
two independent devices? So how much security does virtualization offer?

My impression is that the group being split off is going to ask the cloud
providers to make their proposal for what parts of a CA could be placed in
their clouds. I was wondering if there is a hypervisor vendor in the group,
or one that is available, that could describe their recommendations for
safely and effectively using hypervisors in a CA architecture for greater:

1. Efficiencies
2. Recovery
3. Security

It can be hard to trade these off of each other.

Chris


On Fri, Aug 11, 2017 at 3:00 PM, <netsec-request at cabforum.org> wrote:

> Send Netsec mailing list submissions to
>         netsec at cabforum.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://cabforum.org/mailman/listinfo/netsec
> or, via email, send a message with subject or body 'help' to
>         netsec-request at cabforum.org
>
> You can reach the person managing the list at
>         netsec-owner at cabforum.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Netsec digest..."
>
>
> Today's Topics:
>
>    1. Draft notes of meeting today 10-August-2017 (Ben Wilson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 10 Aug 2017 22:51:38 +0000
> From: Ben Wilson <ben.wilson at digicert.com>
> To: CA/Browser Forum Network Security WG List <netsec at cabforum.org>
> Subject: [cabf_netsec] Draft notes of meeting today 10-August-2017
> Message-ID: <8163513f39c94cb0baea6020064f1c03 at EX2.corp.digicert.com>
> Content-Type: text/plain; charset="us-ascii"
>
> In Attendance:  Ben Wilson, Travis Graham, Xiu Lei, Jeff Stapleton, Kirk
> Hall, Dean Coclin, Robin Alden, Wayne Thayer, Curt Spann, David King,
> Dimitris Zacharopoulos, Tim Hollebeek, Steve Hillier, Neil Dunbar, Tobi
> Josefowitz,  Chris Salter, Peter Bowen, and Jeff Ward
>
>
>
> Dimitris has made minor changes to the quick-fix version of the Network and
> Certificate Systems Security Requirements on GitHub and published a
> redlined
> version, but the redline version exported from GitHub to PDF does not
> highlight additions.  We'll need to come up with a long-term solution for
> that.  It is an issue to bring before the entire Forum.  Ben will propose a
> pre-ballot to the public list and include a redlined PDF.
>
>
>
> Kirk asked whether we had considered his email dated 2-Aug-2017 in which he
> relayed a request of Pat Milot of Entrust to revise the definition of "Root
> CA" because in an offline state, a Root CA is not an "Issuing System".
> Kirk
> noted that you shouldn't have to bring a Root CA back online just to change
> a password every 90 days.  The group felt that it would be better to go
> forward with the quick-fix ballot and address the issue separately.  Ben
> said that there was an exception for that situation.  It was also noted
> that
> definitions for "offline" and "air-gapped" would lead to greater clarity.
> Jeff Ward noted that auditors do run into problems with interpretation and
> he asked Ben to spot that exception.  [Subsequent to the call -- the
> exception is in the words "where technically feasible" in section 2.g.]
>
>
>
> Kirk asked whether we had decided to revise the Network Security
> Requirements after the quick-fix ballot, and if so whether we had a game
> plan for addressing issues.  It was generally agreed on the call, and
> previously noted by Peter in reference to an effort/discussion with Tim
> Crawford of BDO, that it would be better to improve the existing
> requirements because other security standards don't quite meet our needs.
> They are either too general or too specific.
>
> Kirk suggested that it would be good to look at the definitions.  Neil said
> that the Requirements need to account for the way IT business is done today
> and that the Requirements were written based on decades-old models.  Peter
> offered to head a group of several volunteers who would discuss and compile
> a list of cloud and virtualization issues.  Ben would create a list of
> other
> issues to prioritize using Doodle Poll or Survey Monkey.
>
>
>
> The remainder of time on the call was spent discussing
> cloud/virtualization.
> Neil noted that a rogue hypervisor administrator could really create a
> security mess.  It was generally agreed that there needed to be logical
> segregation of systems when using hypervisors so that no VMs of lesser
> security (a spammer) could be next door to sensitive PKI systems.  [The
> conversation continued, but unfortunately the minute-keeper did not have
> WebEx recording turned on.]
>
>
>
> Meeting adjourned.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://cabforum.org/pipermail/netsec/attachments/
> 20170810/f0e4150a/attachment-0001.html>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 4974 bytes
> Desc: not available
> URL: <http://cabforum.org/pipermail/netsec/attachments/
> 20170810/f0e4150a/attachment-0001.p7s>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec
>
>
> ------------------------------
>
> End of Netsec Digest, Vol 3, Issue 15
> *************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170821/4316384c/attachment.html>

More information about the Netsec mailing list