[cabf_netsec] Notes of meeting 27-July-2017

[Ben Wilson]

Notes of Network Security Working Group meeting of 27-July-2017



Attendees were: Ben Wilson (DigiCert), Dean Coclin (Symantec), Dimitris Zacharopoulos (HARICA), Neil Dunbar (Trustcor), Peter Bowen (Amazon), Ryan Hurst (Google), Robin Alden (Comodo), Tobias Josefowitz (Opera), Travis Graham (GoDaddy), Wendy Brown (Protiviti), Xiu Lei (GDCA)



Dimitris shared a link to the GitHub document that incorporates suggested changes from our last meeting:  https://github.com/cabforum/documents/pull/64/files?short_path=50fc941#diff-50fc941f7be640a0bf58764b83d5d9e7



The group discussed the appropriate scope of the first ballot coming out of the Working Group.  Ben asked whether we should include changes suggested after the Bilbao meeting. (See https://github.com/cabforum/documents/commit/d861828b850cdbc2f94372bae64209548145c412)



It was decided that a couple of changes could be made to sections 1.a. and 1.b. relatively easily, but that other changes might require more discussion, so they would not be included in an initial ballot.



Section 1.a. would be amended to read, "Segment Certificate Systems into networks based on their functional or logical relationship, for example separate physical networks or VLANs."



Section 1.b. would be amended to read, "Apply equivalent security controls to all systems co-located in the same network."



The group then discussed "air gapped" in the context of section 1.c.  Ben asked whether the issue is that there are systems that are online but not air gapped.  Neil suggested that "offline" had to do more with its normal powered state versus its online, networked state, and that with offline you'd normally expect the equipment to be powered down.  Whereas air-gapped means it is not physically connected outside of its own closed network.  Wendy said that there are situations where the HSM is powered up and there are other systems that are connected to a port-so it's on an isolated network.  Neil said that if there is no portable ingress or egress to/from the host that would be an air-gapped CA. Peter said that many HSMs use Ethernet to connect to their hosts, so some auditors may focus on the existence of a network cable connection from the HSM to the host.  Neil said that this has to be explained to the auditor, that the cable connected through a hub to the host computer is for a special purpose, so yes, it's on a network, but that network is not connected to anything else.  Ben asked whether we could make a change to 1.c. to have it say, "c. Maintain Root CA Systems in a High Security Zone and in an offline state, air-gapped, or otherwise physically and logically isolated from other networks".  It was suggested that because we were out of time that we continue the discussion about offline Root CAs on the list and that we take as homework an assignment to research whether there is other language out there on this topic that has already been adopted or used.



Meeting adjourned.



Next meeting:  10 August 2017





Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170727/bffddfb7/attachment.html>