[cabf_netsec] Threat model approach for "Root CA System"

Dimitris Zacharopoulos jimmy at it.auth.gr
Mon Oct 2 08:55:57 MST 2017

Hello Ben,

This is a useful approach and we could discuss at the next WG meeting. 
For what it's worth, I am not fully aware of the internals of the 
DigiNotar case and I've only read what's publicly available. This means 
I don't know how the DigiNotar model was used to come to the NSRs but 
since we decided to update the NSRs we should try to describe things as 
clear as possible. It is the WGs common understanding, mentioned in the 
previous calls, that one of the problems with the current NSRs is that 
we're not sure what problem each control is trying to solve and what 
threat/risk each control is trying to mitigate.

In any case, I think that listing specific threats and risks for a Root 
CA System is very useful, especially if there is a common understanding 
by several experienced individuals associated with publicly trusted CAs 
and Browsers.

I don't expect getting significant progress for several months ahead, 
especially with the rate of meetings and participation but I'm hoping 
that the final result will be a threat model that will describe the most 
important and critical threats to a Root CA System. This analysis is not 
intended to delay the work of the WG and, as we discussed on the last 
call, this work can run in parallel.

Here is a very rough example of the expected outcome. 


On 2/10/2017 6:08 πμ, Ben Wilson wrote:
> I hope your sub-group has been able to make some progress.  I fear that
> trying to enumerate the threats and risks might take us in the direction of
> "boiling the ocean".  Hopefully you've been able to narrow the scope of
> discussion.  (One approach to narrow the scope that we used before was the
> DigiNotar incident.  We used DigiNotar as the model on which to write up the
> NCSSRs.)
> -----Original Message-----
> From: Netsec [mailto:netsec-bounces at cabforum.org] On Behalf Of Dimitris
> Zacharopoulos via Netsec
> Sent: Friday, September 22, 2017 8:12 AM
> To: CA/Browser Forum Network Security WG List <netsec at cabforum.org>
> Subject: [cabf_netsec] Threat model approach for "Root CA System"
> Dear NetSec WG members,
> In yesterday's WG meeting, we introduced the idea of approaching the "Root
> CA System" in a "threat model" way and see how that turns out. The
> justification behind trying this approach is that the current Network
> Security Requirements include some very specific security requirements and
> controls but don't actually describe what are the threats they try to
> prevent from happening or which vulnerabilities they try to mitigate.
> Also, defining a reasonable "security perimeter" for a "Root CA System"
> is a challenge and each CA might see it in a number of ways. Knowing what we
> want to protect against can help CAs better define this "security
> perimeter".
> If we list specific threats and vulnerabilities, even obvious ones, then we
> can try to map the current NSR controls to these risks and see if they do a
> reasonable job in 2017. If they don't, we will try improving or replacing
> existing controls or even add new ones so that the "Root CA System" is
> "reasonably" protected. As we all know, there is no 100% security but
> "reasonably" for a Root CA System should be pretty close to that! We'll also
> try to talk about what threats we will explicitly not try to defend against!
> As a note from yesterday's meeting, this threat-model approach might end up
> with different requirements to what CAs are currently being audited against.
> This shouldn't work as a deterrent for improving the security of these
> systems and once this process matures, there will be adequate time for CAs
> to adapt to the updated security requirements.
> If anyone is interested in working with such an approach, please join me,
> Neil Dunbar (TrustCor) and Tom Ritter (Mozilla) by sending me a private
> e-mail. We will work independently and present our work to the NetSec WG so
> the same IPR policy applies.
> If this approach improves the Network Security Requirements update process,
> we might expand it to other concepts of the Network Security Requirements
> like the "Certificate Issuing System", maybe introduce a separate
> "Registration and enrollment System", we'll see.
> Best regards,
> Dimitris.
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec

More information about the Netsec mailing list