[cabf_netsec] Netsec Digest, Vol 3, Issue 15

Phillip philliph at comodo.com
Tue Aug 22 09:02:00 MST 2017 

Outsourcing CAs in the cloud has been happening for years. What many folk call a ‘CA’ is in many cases simply a hosting service for cloud based CAs. The first commercial CA was spun out of RSA Labs after a financial company asked RSA to run a CA for them.

 

The question then is ‘who would provide an SLA strong enough to pass audit’.

 

The next question should probably be, ‘what else should or should not be allowed within the audited perimeter’.

 

 

The way I look at physical audit is that the CA gets to draw their line anywhere they choose. But they have to be able to show that everything inside the line is entirely under control and that the issue and validation processes cannot be affected by anything outside the line except as specified in the CPS.

 

VMs are useful and might well be interesting as an enhancement. They allow us to do things such as checkpoint the state of a machine in a hashchain notary. I do not see running a trusted VM on an untrusted computer as being viable for WebPKI given the current state of technology.

 

Where that might be viable would be for a MailPKI for a captive CA running on a constrained intermediate cert to issue for the enterprise. So the captive can sign *@example.com.

 

 

From: Netsec [mailto:netsec-bounces at cabforum.org] On Behalf Of Tony Rutkowski via Netsec
Sent: Tuesday, August 22, 2017 9:46 AM
To: Chris Salter <chris at achievablesecurity.com>; CA/Browser Forum Network Security WG List <netsec at cabforum.org>
Subject: Re: [cabf_netsec] Netsec Digest, Vol 3, Issue 15

 

Hi Chris,

It is worth noting that a significant amount of work
has occurred on this subject in the NFV SEC standards
group - in the context of providing trust mechanisms
for cloud based NFV/SDN orchestrations.  The NFV SEC
website navigation dashboard page is at:
https://portal.etsi.org/tb.aspx?tbid=799 <https://portal.etsi.org/tb.aspx?tbid=799&SubTB=799> &SubTB=799

Its entire work item list is obtainable at the
URL below.  Published specifications are freely
available.  Draft materials require NFV membership,
but as that is also free, anyone can get access.
It meets bi-weekly.

https://portal.etsi.org/webapp/WorkProgram/Frame_WorkItemList.asp?titleType=all <https://portal.etsi.org/webapp/WorkProgram/Frame_WorkItemList.asp?titleType=all&qSORT=HIGHVERSION&qETSI_ALL=&SearchPage=TRUE&qTB_ID=799%3BNFV+SEC&qINCLUDE_SUB_TB=True&qINCLUDE_MOVED_ON=&qSTOP_FLG=N&qKEYWORD_BOOLEAN=OR&qCLUSTER_BOOLEAN=OR&qFREQUENCIES_BOOLEAN=OR&qSTOPPING_OUTDATED=&butExpertSearch=Search&includeNonActiveTB=FALSE&includeSubProjectCode=FALSE&qREPORT_TYPE=SUMMARY> &qSORT=HIGHVERSION&qETSI_ALL=&SearchPage=TRUE&qTB_ID=799%3BNFV+SEC&qINCLUDE_SUB_TB=True&qINCLUDE_MOVED_ON=&qSTOP_FLG=N&qKEYWORD_BOOLEAN=OR&qCLUSTER_BOOLEAN=OR&qFREQUENCIES_BOOLEAN=OR&qSTOPPING_OUTDATED=&butExpertSearch=Search&includeNonActiveTB=FALSE&includeSubProjectCode=FALSE&qREPORT_TYPE=SUMMARY

--tony

On 21-Aug-17 11:03 AM, Chris Salter via Netsec wrote:

 

I kept a few high level notes when the discussion veered toward putting a CA into the cloud. 

 

Several minutes were spent considering how the current requirements cannot handle a cloud based CA. That begged the question "is it possible to have a cloud based CA?" The first response was no, you have to have physical control of your environment. Amazon and Google aren't cloud based because they operate their own facilities.

 

Further discussion led to the observation that there is already tremendous trust placed in 3rd party products even when you do maintain physical control of your spaces. The group concluded that that it is fair to consider outsourcing some parts of a CA operation to a cloud provider if the right SLA is in place for data separation.

 

The conversation naturally then turned to the use of hypervisors in a CA architecture. This issue is particularly intriguing. Most virtualization vendors shy away from strong security claims.  For instance, does any vendor claim running two VMs on a VMM has security equivalent to running two independent devices? So how much security does virtualization offer? 

 

My impression is that the group being split off is going to ask the cloud providers to make their proposal for what parts of a CA could be placed in their clouds. I was wondering if there is a hypervisor vendor in the group, or one that is available, that could describe their recommendations for safely and effectively using hypervisors in a CA architecture for greater:

 

1. Efficiencies

2. Recovery

3. Security

 

It can be hard to trade these off of each other.

 

Chris

 

 

On Fri, Aug 11, 2017 at 3:00 PM, <netsec-request at cabforum.org <mailto:netsec-request at cabforum.org> > wrote:

Send Netsec mailing list submissions to
        netsec at cabforum.org <mailto:netsec at cabforum.org> 

To subscribe or unsubscribe via the World Wide Web, visit
        http://cabforum.org/mailman/listinfo/netsec
or, via email, send a message with subject or body 'help' to
        netsec-request at cabforum.org <mailto:netsec-request at cabforum.org> 

You can reach the person managing the list at
        netsec-owner at cabforum.org <mailto:netsec-owner at cabforum.org> 

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Netsec digest..."


Today's Topics:

   1. Draft notes of meeting today 10-August-2017 (Ben Wilson)


----------------------------------------------------------------------

Message: 1
Date: Thu, 10 Aug 2017 22:51:38 +0000
From: Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com> >
To: CA/Browser Forum Network Security WG List <netsec at cabforum.org <mailto:netsec at cabforum.org> >
Subject: [cabf_netsec] Draft notes of meeting today 10-August-2017
Message-ID: <8163513f39c94cb0baea6020064f1c03 at EX2.corp.digicert.com <mailto:8163513f39c94cb0baea6020064f1c03 at EX2.corp.digicert.com> >
Content-Type: text/plain; charset="us-ascii"

In Attendance:  Ben Wilson, Travis Graham, Xiu Lei, Jeff Stapleton, Kirk
Hall, Dean Coclin, Robin Alden, Wayne Thayer, Curt Spann, David King,
Dimitris Zacharopoulos, Tim Hollebeek, Steve Hillier, Neil Dunbar, Tobi
Josefowitz,  Chris Salter, Peter Bowen, and Jeff Ward



Dimitris has made minor changes to the quick-fix version of the Network and
Certificate Systems Security Requirements on GitHub and published a redlined
version, but the redline version exported from GitHub to PDF does not
highlight additions.  We'll need to come up with a long-term solution for
that.  It is an issue to bring before the entire Forum.  Ben will propose a
pre-ballot to the public list and include a redlined PDF.



Kirk asked whether we had considered his email dated 2-Aug-2017 in which he
relayed a request of Pat Milot of Entrust to revise the definition of "Root
CA" because in an offline state, a Root CA is not an "Issuing System".  Kirk
noted that you shouldn't have to bring a Root CA back online just to change
a password every 90 days.  The group felt that it would be better to go
forward with the quick-fix ballot and address the issue separately.  Ben
said that there was an exception for that situation.  It was also noted that
definitions for "offline" and "air-gapped" would lead to greater clarity.
Jeff Ward noted that auditors do run into problems with interpretation and
he asked Ben to spot that exception.  [Subsequent to the call -- the
exception is in the words "where technically feasible" in section 2.g.]



Kirk asked whether we had decided to revise the Network Security
Requirements after the quick-fix ballot, and if so whether we had a game
plan for addressing issues.  It was generally agreed on the call, and
previously noted by Peter in reference to an effort/discussion with Tim
Crawford of BDO, that it would be better to improve the existing
requirements because other security standards don't quite meet our needs.
They are either too general or too specific.

Kirk suggested that it would be good to look at the definitions.  Neil said
that the Requirements need to account for the way IT business is done today
and that the Requirements were written based on decades-old models.  Peter
offered to head a group of several volunteers who would discuss and compile
a list of cloud and virtualization issues.  Ben would create a list of other
issues to prioritize using Doodle Poll or Survey Monkey.



The remainder of time on the call was spent discussing cloud/virtualization.
Neil noted that a rogue hypervisor administrator could really create a
security mess.  It was generally agreed that there needed to be logical
segregation of systems when using hypervisors so that no VMs of lesser
security (a spammer) could be next door to sensitive PKI systems.  [The
conversation continued, but unfortunately the minute-keeper did not have
WebEx recording turned on.]



Meeting adjourned.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170810/f0e4150a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20170810/f0e4150a/attachment-0001.p7s>

------------------------------

Subject: Digest Footer

_______________________________________________
Netsec mailing list
Netsec at cabforum.org <mailto:Netsec at cabforum.org> 
http://cabforum.org/mailman/listinfo/netsec


------------------------------

End of Netsec Digest, Vol 3, Issue 15
*************************************

 






_______________________________________________
Netsec mailing list
Netsec at cabforum.org <mailto:Netsec at cabforum.org> 
http://cabforum.org/mailman/listinfo/netsec

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170822/9fed011c/attachment-0001.html>

More information about the Netsec mailing list