[cabf_netsec] [EXTERNAL]Re: Offline Roots

Tom Ritter tom at ritter.vg
Fri Jul 7 06:47:48 MST 2017

On 7 July 2017 at 04:26, Dimitris Zacharopoulos via Netsec
<netsec at cabforum.org> wrote:
> On 6/7/2017 7:36 μμ, Peter Bowen via Netsec wrote:
> So, to better understand the suggestion, for 2(m) we would need either
> "multi-factor authentication by a single person" OR "single-factor
> authentication by multiple persons". Is that right?

Or multi-factor by multiple persons? I don't know pedantic auditors can be :)

Question: What doc are you all working off? (I pull up
https://cabforum.org/network-security/ which numbers things
numerically, not with letters.)

I am also skeptical of issuing a blanket "Does not apply to roots".

1d - I don't understand why this is a problem, since an offline root
is stored in (as you said) "a high security zone". This ought to fit
the definition of "Secure Zone" no?

1g, 1h - I agree these could be reworked to accommodate offline
devices. Could change to "Configure **network-connected** Issuing

2m - Agree I would prefer to keep this requirement even for
non-network connected devices, but we should have it to multi-factor
and/or multi-party.

2o - I agree this shouldn't apply, and have no concerns about adding a
clarifying "network-connected"


More information about the Netsec mailing list