[cabf_netsec] Offline Roots

[Neil Dunbar]

> On 6 Jul 2017, at 14:41, Bruce Morton via Netsec <netsec at cabforum.org> wrote:
> 
> There are four requirements (1d, 1g, 1h and 1o) for Certificate Management System which do no need to apply to roots, since the roots are off-line in a high security zone. To remove the issue, we can change the Certificate Management System definition.

I have no specific objection to the scope change, but I’m wary of essentially a more generic ‘does not apply to Root CA kit’ definition.

For instance, 1d is redundant, but not necessarily inoperative. 1g is not particularly operative by virtue of the air gap, but the requirement for least privilege (i.e., no applications which don’t need to be there, no extraneous accounts) would still apply to a Root CA system; similarly if the Root CA operating devices are provisioned via an image sourced from a configuration management system, then operated in a private, air gapped, capacity - the configuration change review would still be operative.

I guess what I’m getting at is that I wouldn’t want to see CAs dropping reasonable architectural review and operating protections merely because the system operated is air gapped. There are still vectors in and out of an air gapped system (e.g. removable storage devices) which could contain threat material just as dangerous as online vectors for non-airgapped systems.

Bruce - what did you see as the conflict in requirements (as opposed to requirements which are rendered moot by architecture) for offline roots?

Cheers,

Neil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170706/9a14b26c/attachment.html>