[cabf_netsec] Netsec Digest, Vol 3, Issue 15

Tony Rutkowski tony at yaanatech.com
Tue Aug 22 06:45:56 MST 2017 

Hi Chris,

It is worth noting that a significant amount of work
has occurred on this subject in the NFV SEC standards
group - in the context of providing trust mechanisms
for cloud based NFV/SDN orchestrations.  The NFV SEC
website navigation dashboard page is at:
https://portal.etsi.org/tb.aspx?tbid=799&SubTB=799

Its entire work item list is obtainable at the
URL below.  Published specifications are freely
available.  Draft materials require NFV membership,
but as that is also free, anyone can get access.
It meets bi-weekly.

https://portal.etsi.org/webapp/WorkProgram/Frame_WorkItemList.asp?titleType=all&qSORT=HIGHVERSION&qETSI_ALL=&SearchPage=TRUE&qTB_ID=799%3BNFV+SEC&qINCLUDE_SUB_TB=True&qINCLUDE_MOVED_ON=&qSTOP_FLG=N&qKEYWORD_BOOLEAN=OR&qCLUSTER_BOOLEAN=OR&qFREQUENCIES_BOOLEAN=OR&qSTOPPING_OUTDATED=&butExpertSearch=Search&includeNonActiveTB=FALSE&includeSubProjectCode=FALSE&qREPORT_TYPE=SUMMARY

--tony

On 21-Aug-17 11:03 AM, Chris Salter via Netsec wrote:
>
> I kept a few high level notes when the discussion veered toward
> putting a CA into the cloud. 
>
> Several minutes were spent considering how the current requirements
> cannot handle a cloud based CA. That begged the question "is it
> possible to have a cloud based CA?" The first response was no, you
> have to have physical control of your environment. Amazon and Google
> aren't cloud based because they operate their own facilities.
>
> Further discussion led to the observation that there is already
> tremendous trust placed in 3rd party products even when you do
> maintain physical control of your spaces. The group concluded that
> that it is fair to consider outsourcing some parts of a CA operation
> to a cloud provider if the right SLA is in place for data separation.
>
> The conversation naturally then turned to the use of hypervisors in a
> CA architecture. This issue is particularly intriguing. Most
> virtualization vendors shy away from strong security claims.  For
> instance, does any vendor claim running two VMs on a VMM has security
> equivalent to running two independent devices? So how much security
> does virtualization offer? 
>
> My impression is that the group being split off is going to ask the
> cloud providers to make their proposal for what parts of a CA could be
> placed in their clouds. I was wondering if there is a hypervisor
> vendor in the group, or one that is available, that could describe
> their recommendations for safely and effectively using hypervisors in
> a CA architecture for greater:
>
> 1. Efficiencies
> 2. Recovery
> 3. Security
>
> It can be hard to trade these off of each other.
>
> Chris
>
>
> On Fri, Aug 11, 2017 at 3:00 PM, <netsec-request at cabforum.org
> <mailto:netsec-request at cabforum.org>> wrote:
>
>     Send Netsec mailing list submissions to
>             netsec at cabforum.org <mailto:netsec at cabforum.org>
>
>     To subscribe or unsubscribe via the World Wide Web, visit
>             http://cabforum.org/mailman/listinfo/netsec
>     <http://cabforum.org/mailman/listinfo/netsec>
>     or, via email, send a message with subject or body 'help' to
>             netsec-request at cabforum.org
>     <mailto:netsec-request at cabforum.org>
>
>     You can reach the person managing the list at
>             netsec-owner at cabforum.org <mailto:netsec-owner at cabforum.org>
>
>     When replying, please edit your Subject line so it is more specific
>     than "Re: Contents of Netsec digest..."
>
>
>     Today's Topics:
>
>        1. Draft notes of meeting today 10-August-2017 (Ben Wilson)
>
>
>     ----------------------------------------------------------------------
>
>     Message: 1
>     Date: Thu, 10 Aug 2017 22:51:38 +0000
>     From: Ben Wilson <ben.wilson at digicert.com
>     <mailto:ben.wilson at digicert.com>>
>     To: CA/Browser Forum Network Security WG List <netsec at cabforum.org
>     <mailto:netsec at cabforum.org>>
>     Subject: [cabf_netsec] Draft notes of meeting today 10-August-2017
>     Message-ID:
>     <8163513f39c94cb0baea6020064f1c03 at EX2.corp.digicert.com
>     <mailto:8163513f39c94cb0baea6020064f1c03 at EX2.corp.digicert.com>>
>     Content-Type: text/plain; charset="us-ascii"
>
>     In Attendance:  Ben Wilson, Travis Graham, Xiu Lei, Jeff
>     Stapleton, Kirk
>     Hall, Dean Coclin, Robin Alden, Wayne Thayer, Curt Spann, David King,
>     Dimitris Zacharopoulos, Tim Hollebeek, Steve Hillier, Neil Dunbar,
>     Tobi
>     Josefowitz,  Chris Salter, Peter Bowen, and Jeff Ward
>
>
>
>     Dimitris has made minor changes to the quick-fix version of the
>     Network and
>     Certificate Systems Security Requirements on GitHub and published
>     a redlined
>     version, but the redline version exported from GitHub to PDF does not
>     highlight additions.  We'll need to come up with a long-term
>     solution for
>     that.  It is an issue to bring before the entire Forum.  Ben will
>     propose a
>     pre-ballot to the public list and include a redlined PDF.
>
>
>
>     Kirk asked whether we had considered his email dated 2-Aug-2017 in
>     which he
>     relayed a request of Pat Milot of Entrust to revise the definition
>     of "Root
>     CA" because in an offline state, a Root CA is not an "Issuing
>     System".  Kirk
>     noted that you shouldn't have to bring a Root CA back online just
>     to change
>     a password every 90 days.  The group felt that it would be better
>     to go
>     forward with the quick-fix ballot and address the issue
>     separately.  Ben
>     said that there was an exception for that situation.  It was also
>     noted that
>     definitions for "offline" and "air-gapped" would lead to greater
>     clarity.
>     Jeff Ward noted that auditors do run into problems with
>     interpretation and
>     he asked Ben to spot that exception.  [Subsequent to the call -- the
>     exception is in the words "where technically feasible" in section
>     2.g.]
>
>
>
>     Kirk asked whether we had decided to revise the Network Security
>     Requirements after the quick-fix ballot, and if so whether we had
>     a game
>     plan for addressing issues.  It was generally agreed on the call, and
>     previously noted by Peter in reference to an effort/discussion
>     with Tim
>     Crawford of BDO, that it would be better to improve the existing
>     requirements because other security standards don't quite meet our
>     needs.
>     They are either too general or too specific.
>
>     Kirk suggested that it would be good to look at the definitions. 
>     Neil said
>     that the Requirements need to account for the way IT business is
>     done today
>     and that the Requirements were written based on decades-old
>     models.  Peter
>     offered to head a group of several volunteers who would discuss
>     and compile
>     a list of cloud and virtualization issues.  Ben would create a
>     list of other
>     issues to prioritize using Doodle Poll or Survey Monkey.
>
>
>
>     The remainder of time on the call was spent discussing
>     cloud/virtualization.
>     Neil noted that a rogue hypervisor administrator could really create a
>     security mess.  It was generally agreed that there needed to be
>     logical
>     segregation of systems when using hypervisors so that no VMs of lesser
>     security (a spammer) could be next door to sensitive PKI systems. 
>     [The
>     conversation continued, but unfortunately the minute-keeper did
>     not have
>     WebEx recording turned on.]
>
>
>
>     Meeting adjourned.
>
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL:
>     <http://cabforum.org/pipermail/netsec/attachments/20170810/f0e4150a/attachment-0001.html
>     <http://cabforum.org/pipermail/netsec/attachments/20170810/f0e4150a/attachment-0001.html>>
>     -------------- next part --------------
>     A non-text attachment was scrubbed...
>     Name: smime.p7s
>     Type: application/pkcs7-signature
>     Size: 4974 bytes
>     Desc: not available
>     URL:
>     <http://cabforum.org/pipermail/netsec/attachments/20170810/f0e4150a/attachment-0001.p7s
>     <http://cabforum.org/pipermail/netsec/attachments/20170810/f0e4150a/attachment-0001.p7s>>
>
>     ------------------------------
>
>     Subject: Digest Footer
>
>     _______________________________________________
>     Netsec mailing list
>     Netsec at cabforum.org <mailto:Netsec at cabforum.org>
>     http://cabforum.org/mailman/listinfo/netsec
>     <http://cabforum.org/mailman/listinfo/netsec>
>
>
>     ------------------------------
>
>     End of Netsec Digest, Vol 3, Issue 15
>     *************************************
>
>
>
>
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170822/731671fe/attachment.html>

More information about the Netsec mailing list