[cabf_netsec] [EXTERNAL]Re: Offline Roots

Peter Bowen pzb at amzn.com
Sat Jul 8 08:44:31 MST 2017

> On Jul 7, 2017, at 6:47 AM, Tom Ritter <tom at ritter.vg> wrote:
> On 7 July 2017 at 04:26, Dimitris Zacharopoulos via Netsec
> <netsec at cabforum.org> wrote:
>> On 6/7/2017 7:36 μμ, Peter Bowen via Netsec wrote:
>> So, to better understand the suggestion, for 2(m) we would need either
>> "multi-factor authentication by a single person" OR "single-factor
>> authentication by multiple persons". Is that right?
> Or multi-factor by multiple persons? I don't know pedantic auditors can be :)
> Question: What doc are you all working off? (I pull up
> https://cabforum.org/network-security/ which numbers things
> numerically, not with letters.)

https://cabforum.org/wp-content/uploads/Network_Security_Controls_V1.pdf <https://cabforum.org/wp-content/uploads/Network_Security_Controls_V1.pdf> is the PDF version which uses letters.

> I am also skeptical of issuing a blanket "Does not apply to roots".
> 1d - I don't understand why this is a problem, since an offline root
> is stored in (as you said) "a high security zone". This ought to fit
> the definition of "Secure Zone" no?
> 1g, 1h - I agree these could be reworked to accommodate offline
> devices. Could change to "Configure **network-connected** Issuing
> Systems…”?

This seems like a reasonable change.

> 2m - Agree I would prefer to keep this requirement even for
> non-network connected devices, but we should have it to multi-factor
> and/or multi-party.

Sounds good to me.

> 2o - I agree this shouldn't apply, and have no concerns about adding a
> clarifying "network-connected”

Also seems reasonable, but I’m still not sure how one would have remote access to a non-network connected device.

> -tom

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170708/05b624fa/attachment-0001.html>

More information about the Netsec mailing list