[cabf_netsec] [EXTERNAL]Re: Offline Roots

Neil Dunbar ndunbar at trustcorsystems.com
Thu Jul 6 10:05:06 MST 2017

> On 6 Jul 2017, at 17:36, Peter Bowen <pzb at amzn.com> wrote:
>> On Jul 6, 2017, at 7:44 AM, Neil Dunbar via Netsec <netsec at cabforum.org <mailto:netsec at cabforum.org>> wrote:
>> Is MFA for offline roots such a burden? I mean, password and USB connected fingerprint reader, or password and U2F device configured for HMAC-SHA1 challenge would work in an offline login. Doesn’t the actual HSM activation count as 2-factor (PIN plus key auth device)?
>> Where I’m going with all of this, since we’re in ‘low hanging fruit’ grabbing, is to ensure that the changes are as tight as possible, to avoid controversy while updating the existing NetSec doc.
> What about changing 2(m) to “multi-factor or multi-party authentication”?  This would allow offline systems to use HSM controls to meet the requirement.  The definition of “system” is “one or more pieces of equipment”, so it is reasonable to say that a HSM attached to a computer, even if the HSM is a separate chassis, creates a single “issuing system”.

I think this is a reasonable wording. I mean, we’re talking about preventing simple issuance from Root CA kit, so the equipment protecting the HSM is really the important part.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170706/64308fec/attachment.html>

More information about the Netsec mailing list