[cabf_netsec] Suggested changes for Off-line CAs

[Bruce Morton]

I tried to summarize the proposed changes to address the off-line CAs.


>From 2m. Enforce multi-factor authentication for administrator access to Issuing Systems and Certificate Management Systems;
To 2m. Enforce multi-factor or multi-party authentication for administrator access to Issuing Systems and Certificate Management Systems;
Or To. Enforce multi-factor authentication by a single person or single-factor authentication by multiple persons for administrator access to Issuing Systems and Certificate Management Systems;

From: 2o. Restrict remote administration or access to an Issuing System, Certificate Management System, or Security Support System except when:
To: 2o. Restrict remote administration or access to network connected devices to an Issuing System, Certificate Management System, or Security Support System except when:

Do we need definitions for Multi-Factor and Multi-party? These are not defined in the Baseline Requirements.

Bruce.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170713/f264a8d3/attachment.html>