[cabf_netsec] NetSec Discussion Waves

Ben Wilson ben.wilson at digicert.com
Thu Apr 12 09:36:24 MST 2018 

Re-circulating from Dimitris’ email last month.


NetSec WG Ballot waves


Wave 1 (Definitions)


(Re-)Define Account, HSPZ, Air-gapped Zone, Certificate Issuing Systems, Issuer CA System, Multifactor Authentication, Offline State, Root CA System, Secure Key Storage Device, Secure Zone


After some discussion with Ben and Neil at the F2F, here is our proposal:

Wave 1 should take care of the non-controversial definitions. We will address the more controversial definitions in the future.





Wave 2 (force MFA for Trusted Roles connected from outside a SZ or HSPZ)


2.g when the authentication is with a username/password, maintain the 12-character rule when the connection is from within the SZ or HSPZ but enforce MFA and require password complexity but not require changing the password every 3 months. Also, keep the lockout requirement.

2.n enforce MFA on all Trusted Roles for Certificate Systems accessible from outside a SZ or HSPZ

Clarify that Certificate-based authentication can be considered MFA when the private key is stored in a Secure Key Storage (at least FIPS 140-2 L2 Certified) Device.


Wave 3 (do not use "group accounts" for Trusted Role operations and language improvements)


Strengthen the 2.f existing rule that requires "unique credential" per Trusted Role

Improve language for 
- a policy that requires individuals in Trusted Role to logout or lock workstations when no longer in use
- the inactivity time-outs
- the lockout requirement


Tim's proposed ballot takes care of "Waves 2 and 3" and should follow Wave 1 (definitions).






Wave 4 (log integrity and monitoring that logging is operational)


3.e Improve language to assure log integrity and monitor proper logging operations 


Then, Wave 4 is renamed practically to "Wave 3".


Dimitris.






Wave 5 (password policy, adoption of NIST 800-63b (Appendix A) recommendations)


Update 2.g.iii

 

Thoughts?

Dimitris.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180412/feb766f2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4934 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20180412/feb766f2/attachment.p7s>

More information about the Netsec mailing list