[cabf_netsec] Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

Ben Wilson ben.wilson at digicert.com
Thu Jul 27 15:45:21 MST 2017

Based on Dimitris' recent updates to the document on GitHub (see
https://github.com/cabforum/documents/pull/64/files ),  I've created a
pre-ballot that the Working Group should be able to endorse. See
https://cabforum.org/wiki/210%20-%20Misc%20Changes%20to%20NCSSR (pasted
below).  I don't have the PDF ready yet, but I'll circulate it later.


Ballot 210 - Miscellaneous Changes to the Network and Certificate System
Security Requirements 

The Network Security Working Group recommends that the Forum make the
following minor revisions to the Network and Certificate System Security

--Motion Begins-- 

In the Network and Certificate System Security Requirements. 

ADD ETSI EN 319 411-1 to first sentence of the Scope and Applicability
section so that it reads "These Network and Certificate System Security
Requirements (Requirements) apply to all publicly trusted Certification
Authorities (CAs) and are adopted with the intent that all such CAs and
Delegated Third Parties be audited for conformity with these Requirements as
soon as they have been incorporated as mandatory requirements (if not
already mandatory requirements) in the root embedding program for any major
Internet browsing client and that they be incorporated into the WebTrust
<https://cabforum.org/wiki/WebTrust>  Service Principles and Criteria for
Certification Authorities, ETSI TS 101 456, ETSI TS 102 042 and ETSI EN 319
411-1 including revisions and implementations thereof, including any audit
scheme that purports to determine conformity therewith." 

REPLACE section 1.a. with "a. Segment Certificate Systems into networks
based on their functional or logical relationship, for example separate
physical networks or VLANs;" 

REPLACE section 1.b. with "b. Apply equivalent security controls to all
systems co-located in the same network with a Certificate System;" 

REPLACE "90 days" with "three (3) months" in section 2.g.ii. and 2.j so that
they read "ii. For accounts that are accessible from outside a Secure Zone
or High Security Zone, require that passwords have at least eight (8)
characters, be changed at least every three (3) months, use a combination of
at least numeric and alphabetic characters, that are not a dictionary word
or on a list of previously disclosed human-generated passwords, and not be
one of the user's previous four (4) passwords; and implement account lockout
for failed access attempts in accordance with subsection k; OR"   AND   "j.
Review all system accounts at least every three (3) months and deactivate
any accounts that are no longer necessary for operations;" 

REPLACE section 2.m. with "m. Enforce multi-factor / multi-party
authentication for administrator access to Issuing Systems and Certificate
Management Systems;" 

REPLACE section 2.o. with "o. Restrict remote administration or access to an
Issuing System, Certificate Management System, or Security Support System
except when: (i) the remote connection originates from a device owned or
controlled by the CA or Delegated Third Party, (ii) the remote connection is
through a temporary, non-persistent encrypted channel that is supported by
multi-factor authentication, and (iii) the remote connection is made to a
designated intermediary device (a) located within the CA's network, (b)
secured in accordance with these Requirements, and (c) that mediates the
remote connection to the Issuing System." 

REPLACE "every 30 days and" with "once a month to" in section 3.e. so that
it reads "e. Conduct a human review of application and system logs at least
once a month to validate the integrity of logging processes and ensure that
monitoring, logging, alerting, and log-integrity-verification functions are
operating properly (the CA or Delegated Third Party MAY use an in-house or
third-party audit log reduction and analysis tool); and" 

REPLACE 4.a. with "a. Implement intrusion detection and prevention controls
under the control of CA or Delegated Third Party Trusted Roles to protect
Certificate Systems against common network and system threats;" 

REPLACE 4.C. with "c. Undergo or perform a Vulnerability Scan (i) within one
(1) week of receiving a request from the CA/Browser Forum, (ii) after any
system or network changes that the CA determines are significant, and (iii)
at least every three (3) months, on public and private IP addresses
identified by the CA or Delegated Third Party as the CA's or Delegated Third
Party's Certificate Systems;" 

REPLACE the definition of Security Support System in the Definitions with
"Security Support System: A system used to provide security support
functions, which MAY include authentication, network boundary control, audit
logging, audit log reduction and analysis, vulnerability scanning, and
intrusion detection (Host-based intrusion detection / Network-based
intrusion detection)." 

Make other editorial changes as indicated at
https://github.com/cabforum/documents/pull/64/files and in the attached PDF.

--Motion Ends-- 






Ben Wilson, JD, CISA, CISSP

VP Compliance

+1 801 701 9678


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170727/5fde4bbb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6110 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20170727/5fde4bbb/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20170727/5fde4bbb/attachment-0001.p7s>

More information about the Netsec mailing list