[cabf_netsec] Offline Roots

[Peter Bowen]

> On Jul 6, 2017, at 6:41 AM, Bruce Morton via Netsec <netsec at cabforum.org> wrote:
> 
> There is an issue where the offline roots are considered part of the certificate management system. This leads to requirements which may conflict with the main offline root requirement which states “Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks.”
>  
> There are four requirements (1d, 1g, 1h and 1o) for Certificate Management System which do no need to apply to roots, since the roots are off-line in a high security zone. To remove the issue, we can change the Certificate Management System definition.
>  
> Change from:  Certificate Management System: A system used by a CA or Delegated Third Party to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage.
>  
> Change to:  Certificate Management System: A system used by a CA or Delegated Third Party to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage. The CA Management System does not include the Root CA System.
> 

Bruce,

Would it make more sense to clarify that a CA may have multiple separate Certificate Management Systems?  It sounds like there is an assumption that all the equipment is a single “System”.  I think the intent is that the CA defines which components (equipment or software) make up each System.

Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170708/6a0e8790/attachment.html>