[cabf_netsec] [EXTERNAL]Re: Offline Roots
Peter Bowen
pzb at amzn.com
Sat Jul 8 08:44:31 MST 2017
> On Jul 7, 2017, at 6:47 AM, Tom Ritter <tom at ritter.vg> wrote:
>
> On 7 July 2017 at 04:26, Dimitris Zacharopoulos via Netsec
> <netsec at cabforum.org> wrote:
>> On 6/7/2017 7:36 μμ, Peter Bowen via Netsec wrote:
>> So, to better understand the suggestion, for 2(m) we would need either
>> "multi-factor authentication by a single person" OR "single-factor
>> authentication by multiple persons". Is that right?
>
> Or multi-factor by multiple persons? I don't know pedantic auditors can be :)
>
>
>
> Question: What doc are you all working off? (I pull up
> https://cabforum.org/network-security/ which numbers things
> numerically, not with letters.)
https://cabforum.org/wp-content/uploads/Network_Security_Controls_V1.pdf <https://cabforum.org/wp-content/uploads/Network_Security_Controls_V1.pdf> is the PDF version which uses letters.
>
> I am also skeptical of issuing a blanket "Does not apply to roots".
>
> 1d - I don't understand why this is a problem, since an offline root
> is stored in (as you said) "a high security zone". This ought to fit
> the definition of "Secure Zone" no?
>
> 1g, 1h - I agree these could be reworked to accommodate offline
> devices. Could change to "Configure **network-connected** Issuing
> Systems…”?
This seems like a reasonable change.
> 2m - Agree I would prefer to keep this requirement even for
> non-network connected devices, but we should have it to multi-factor
> and/or multi-party.
Sounds good to me.
> 2o - I agree this shouldn't apply, and have no concerns about adding a
> clarifying "network-connected”
Also seems reasonable, but I’m still not sure how one would have remote access to a non-network connected device.
> -tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170708/05b624fa/attachment-0001.html>
More information about the Netsec
mailing list