[cabf_netsec] Threat model for "Root CA System" is ready for discussion

Dimitris Zacharopoulos jimmy at it.auth.gr
Wed Feb 14 10:29:10 MST 2018

Dear NetSec WG members,

The Network Security sub-group that worked towards a "Threat Analysis
for a Root CA System" has completed its work. We examined threats and
vulnerabilities in Root CA Management Systems and recommended
compensating controls to minimize these risks.

We also did a mapping to existing Network Security Requirements controls
that describe similar compensating controls. Wherever we introduced new
controls that do not exist in the current Network Security Requirements,
we provided a recommendation for "SHOULD" or "MUST".

You can find this work at the following spreadsheet:

  * https://docs.google.com/spreadsheets/d/16kRPobK31Qb7L4ooq4SJE6K6OmfPOizdtV9M-m475WU

This is not an exhaustive list of threats or vulnerabilities but enough
to justify some existing Network Security Requirements and some critical
risks. We recommend members to examine this spreadsheet and give us
feedback about whether this "threat analysis" approach is useful (or
not) and if it should be expanded to the online CA Management Systems as
well (or not). We also welcome comments about specific items of the

We would like 15-20 minutes on tomorrow's call to present the results of
our work.

I would like to thank everyone who volunteered to this sub-group and
provided their expert opinion. We will leave the sub-group calendar
invitation and webex room open for possible future calls, but until we
get some feedback from the larger group we consider our work complete at
this point. We will also have the opportunity to expand more at the next
face-to-face meeting.

Thank you,
Dimitris Zacharopoulos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180214/1a25797c/attachment.html>

More information about the Netsec mailing list