[cabf_netsec] [EXTERNAL]Re: Offline Roots

Bruce Morton Bruce.Morton at entrustdatacard.com
Thu Jul 6 07:23:42 MST 2017 

Hi Neil,

My search was wrong. I should have stated 1d, 1g, 1h, 2m and 2o

We had an issue with 2m where we were expected to have multi-factor authentication for an off-line root.

What change would you suggest for a short-term fix for roots?

Thanks, Bruce.

From: Netsec [mailto:netsec-bounces at cabforum.org] On Behalf Of Neil Dunbar via Netsec
Sent: Thursday, July 6, 2017 10:05 AM
To: CA/Browser Forum Network Security WG List <netsec at cabforum.org>
Subject: [EXTERNAL]Re: [cabf_netsec] Offline Roots


On 6 Jul 2017, at 14:41, Bruce Morton via Netsec <netsec at cabforum.org<mailto:netsec at cabforum.org>> wrote:

There are four requirements (1d, 1g, 1h and 1o) for Certificate Management System which do no need to apply to roots, since the roots are off-line in a high security zone. To remove the issue, we can change the Certificate Management System definition.

I have no specific objection to the scope change, but I’m wary of essentially a more generic ‘does not apply to Root CA kit’ definition.

For instance, 1d is redundant, but not necessarily inoperative. 1g is not particularly operative by virtue of the air gap, but the requirement for least privilege (i.e., no applications which don’t need to be there, no extraneous accounts) would still apply to a Root CA system; similarly if the Root CA operating devices are provisioned via an image sourced from a configuration management system, then operated in a private, air gapped, capacity - the configuration change review would still be operative.

I guess what I’m getting at is that I wouldn’t want to see CAs dropping reasonable architectural review and operating protections merely because the system operated is air gapped. There are still vectors in and out of an air gapped system (e.g. removable storage devices) which could contain threat material just as dangerous as online vectors for non-airgapped systems.

Bruce - what did you see as the conflict in requirements (as opposed to requirements which are rendered moot by architecture) for offline roots?

Cheers,

Neil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170706/15bc74f5/attachment.html>

More information about the Netsec mailing list