[cabf_netsec] Offline Roots

Bruce Morton Bruce.Morton at entrustdatacard.com
Thu Jul 6 06:41:23 MST 2017


There is an issue where the offline roots are considered part of the certificate management system. This leads to requirements which may conflict with the main offline root requirement which states "Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks."

There are four requirements (1d, 1g, 1h and 1o) for Certificate Management System which do no need to apply to roots, since the roots are off-line in a high security zone. To remove the issue, we can change the Certificate Management System definition.

Change from:  Certificate Management System: A system used by a CA or Delegated Third Party to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage.

Change to:  Certificate Management System: A system used by a CA or Delegated Third Party to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage. The CA Management System does not include the Root CA System.


Thanks,

Bruce Morton
Entrust Datacard
+1.613.270.3743

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170706/95fa2c4a/attachment.html>


More information about the Netsec mailing list