[cabf_netsec] Notes from Today's NetSec Call

Dimitris Zacharopoulos jimmy at it.auth.gr
Thu Apr 26 23:08:22 MST 2018 


On 27/4/2018 7:24 πμ, Ben Wilson via Netsec wrote:
>
> During today’s call we reviewed the terminology we’ve been using and 
> terms defined in the NCSSRs. We discussed the need for a better 
> architectural framework for CAs, an understanding of data flows, and 
> the interconnectivity among systems.
>
> We’re still looking for a better model that we can follow.
>
> Tobias noted that the way we’re trying to update the NCSSRs is really 
> tedious.  We might want to consider making bigger steps, although 
> changing from the existing NCSSRs might be too disruptive.  Should we 
> try decoupling from the existing NCSSRs?  We need a model of how to 
> operate a CA in a secure fashion and then work from there.
>
>
>
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec

Sorry I missed yesterday's meeting. Making bigger steps, as historically 
demonstrated, is not an achievable goal. The NCSSRs have been used not 
just for CAs issuing SSL Certificates but for all kinds. They have been 
integrated in International audit standards (WebTrust, ETSI, who knows 
what else). I would recommend sticking to existing decisions and goals 
that were set both from the WG and from the larger Forum. We also agreed 
from the very beginning that we would try to tackle with the 
non-controversial issues first before moving to the more controversial 
ones. I don't think we are ready to handle more controversial issues 
before dealing with the non-controversial.

Just to remind everyone, it was agreed at the latest F2F that the 
_threat-based model_, presented by the sub-group for Root CA Management 
Systems as a proof-of-concept, was welcomed by everyone including 
auditors present. During that sub-group process, we had repeated 
discussions about how to operate a Root CA management system in a secure 
fashion in 2017-2018, identified threats and vulnerabilities and 
recommended compensating controls to limit the associated risks and 
impact. At some point, these compensating controls *should enter the 
NCSSRs* and revise existing, remove unnecessary or add new controls.

We have an agreed-upon roadmap which people consider effective, 
efficient and to the right direction. If WG members would like to 
explore new models, I would recommend following a similar path with the 
"threat-analysis for Root CA Management Systems" sub-group. Work in 
parallel, and if things reach a working and presentable result, bring it 
back to the larger Working Group for assessment. Then the WG could 
present it to the larger Forum at an upcoming F2F.

I will try to summarize the plan I had in mind (coming from past 
discussions/decisions) and please correct me if I miss anything.

 1. Introduction of 2FA and enforcing it for connection initiated
    outside a SZ or HSZ: Ballot 221 about the 2FA is still in the
    discussion phase.
 2. Fix as many of the ambiguous definitions and follow these principles:
     1. have simpler definitions that would cause less confusion,
     2. use Peter's suggestion for definition "quality control" by
        replacing the definition text in the requirements and see if the
        result makes sense,
     3. avoid entering Normative requirements in the definitions and
        move them in the requirements section instead of the definition
        itself.
 3. Address logging issues more specifically about integrity and
    availability,
 4. Address or at least discuss the feedback we received from the
    WebTrust Task Force on March 29th 2018 and respond with either
    clarifications or plan to address these issues,
 5. Update the NCSSRs with specific requirements for the Root CA
    Management Systems
 6. Perform a similar threat analysis for Issuing CA Management Systems
    (this is probably when we will hear about modern security and
    current best practices in Issuing CA management Systems, like we did
    with the Root CA management systems)

Of course the order could change if deemed necessary.

I hope all this makes sense. It would be nice to indicate individual 
positions in order to help determining the next steps. Let's reach to 
accomplish a couple of milestones first before radically changing course :)


Dimitris.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180427/3377f0a6/attachment-0001.html>

More information about the Netsec mailing list