[cabf_netsec] [EXTERNAL]Re: Offline Roots

Thu Jul 20 06:05:51 MST 2017

Our recommendation is to add multi-party authentication to all offline root CA access requirements. Allow two-person control for physical and logical system access and certificate issuance on offline CAs. In U.S. Federal government, we have to comply with NIST 800-53 audits and most of the MFA solutions require additional VMs to operate (i.e. key servers, domain controllers, etc.). Adding additional VMs require implementing additional compensating controls which make simple offline configurations untenable.

With your HSM example, is that also assuming MFA to the OS? Is the intent for MFA to increase assurance in issuing a certificate or for system access or both?

Kenneth Myers
Manager
+1.571.366.6120 Desk
Protiviti | 1640 King Street | Suite #400 | Alexandria | VA 22314 US | Protiviti.com<https://www.protiviti.com/>

From: Netsec [mailto:netsec-bounces at cabforum.org] On Behalf Of Peter Bowen via Netsec
Sent: Thursday, July 6, 2017 12:37
To: Neil Dunbar <ndunbar at trustcorsystems.com>; CA/Browser Forum Network Security WG List <netsec at cabforum.org>
Subject: Re: [cabf_netsec] [EXTERNAL]Re: Offline Roots

On Jul 6, 2017, at 7:44 AM, Neil Dunbar via Netsec <netsec at cabforum.org<mailto:netsec at cabforum.org>> wrote:

On 6 Jul 2017, at 15:23, Bruce Morton <Bruce.Morton at entrustdatacard.com<mailto:Bruce.Morton at entrustdatacard.com>> wrote:

Hi Neil,

My search was wrong. I should have stated 1d, 1g, 1h, 2m and 2o

So, 2o is essentially inoperative. Perhaps a change like:

FROM: o. Restrict remote administration or access to an Issuing System, Certificate Management System, or Security Support System except when:

TO: o. Restrict remote administration or access *to network connected devices* to an Issuing System, Certificate Management System, or Security Support System except when:

(thus making it explicitly inoperative for non-networked systems).

We had an issue with 2m where we were expected to have multi-factor authentication for an off-line root.

Is MFA for offline roots such a burden? I mean, password and USB connected fingerprint reader, or password and U2F device configured for HMAC-SHA1 challenge would work in an offline login. Doesn’t the actual HSM activation count as 2-factor (PIN plus key auth device)?

Where I’m going with all of this, since we’re in ‘low hanging fruit’ grabbing, is to ensure that the changes are as tight as possible, to avoid controversy while updating the existing NetSec doc.

What about changing 2(m) to “multi-factor or multi-party authentication”?  This would allow offline systems to use HSM controls to meet the requirement.  The definition of “system” is “one or more pieces of equipment”, so it is reasonable to say that a HSM attached to a computer, even if the HSM is a separate chassis, creates a single “issuing system”.

Thanks,
Peter

NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170720/c230cd7f/attachment-0001.html>