[cabf_netsec] Federal PKI Input to NetSec Updates

Myers, Kenneth (10421) kenneth.myers at protiviti.com
Wed Jul 19 08:49:09 MST 2017 

Morning everyone,

I didn't see any feedback on my recommendations. Did everyone receive them?

Also one change for Air-Gapped


a.       Air-Gapped - Certificate Systems or components physically and logically isolated from the other networks.

                                                               i.      The intent is to capture an air-gapped CA is either not network connected or isolated to a single network.


Kenneth Myers
Manager
+1.571.366.6120 Desk
Protiviti | 1640 King Street | Suite #400 | Alexandria | VA 22314 US | Protiviti.com<https://www.protiviti.com/>

From: Myers, Kenneth (10421)
Sent: Friday, July 14, 2017 12:16
To: 'netsec at cabforum.org' <netsec at cabforum.org>
Cc: Darlene Gore - QTGBAC <darlene.gore at gsa.gov>; Wendy Brown (Protiviti) <wendy.brown at protiviti.com>; Holland, Maria (10421) <maria.holland at protiviti.com>
Subject: Federal PKI Input to NetSec Updates

Good afternoon everyone,

The U.S. Federal Government PKI is an observer to the CAB Forum but would like to the make the following recommendations as the NSR document is updated.


1)      Recommend the following definitions:

a.       Air-Gapped - Certificate Systems or components physically and logically disconnected from the public internet.

                                                               i.      The intent is to capture an air-gapped CA can not be accessed from the public internet.

b.      Offline CA: An air-gapped Certificate System or component operated in a powered down state except to perform short-term maintenance or certificate activity.

                                                               i.      The intent is to capture an Offline CA is operated in a powered down state for the majority of the time.

c.       Online: Certificate Systems or components physically or logically connected to the public and/or a private internet.

2)      Recommend additions to the following sections

a.       1.h | Add a provision for an offline CA configuration review to be monthly or 30 days instead of weekly.

b.      1.j | Add a provision for an offline CA to implement multi-factor authentication or multi-person control

c.       2.m | Add a provision for an offline CA to implement multi-factor authentication or multi-person control

                                                               i.      The WG discussed this on the call also and the Federal PKI supports this addition.

d.      2.o.ii | Add a provision for an offline CA to implement multi-factor authentication or multi-person control.


Kenneth Myers
Supporting the GSA Federal PKI Management Authority
Manager
+1.571.366.6120 Desk
Join the conversation: LinkedIn<http://www.linkedin.com/company/protiviti> | Facebook<http://www.facebook.com/home.php?#/Protiviti> | Twitter <https://twitter.com/protiviti> | YouTube<http://www.youtube.com/protivitiinc>
Connect with me on LinkedIn<https://www.linkedin.com/in/kennethmy>

Protiviti | 1640 King Street | Suite #400 | Alexandria | VA 22314 US | Protiviti.com<https://www.protiviti.com/>

[vk]

NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170719/5201d9f5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3876 bytes
Desc: image001.jpg
URL: <http://cabforum.org/pipermail/netsec/attachments/20170719/5201d9f5/attachment-0001.jpg>

More information about the Netsec mailing list