[cabf_netsec] Threat model for "Root CA System" is ready for discussion

Tim Hollebeek tim.hollebeek at digicert.com
Tue Feb 27 13:51:35 MST 2018

Looks good to me.  At the very least it will provoke an interesting discussion about whether this is how we want to continue to move forward.




From: Netsec [mailto:netsec-bounces at cabforum.org] On Behalf Of Dimitris Zacharopoulos via Netsec
Sent: Tuesday, February 27, 2018 12:22 PM
To: netsec at cabforum.org
Subject: Re: [cabf_netsec] Threat model for "Root CA System" is ready for discussion


Following-up on this topic, I created a short presentation for the F2F to discuss the results of the Threat Analysis approach.

If anyone wants to suggest improvements, please do so either privately or on this list.

Thank you,

On 14/2/2018 7:29 μμ, Dimitris Zacharopoulos via Netsec wrote:

Dear NetSec WG members,

The Network Security sub-group that worked towards a "Threat Analysis for a Root CA System" has completed its work. We examined threats and vulnerabilities in Root CA Management Systems and recommended compensating controls to minimize these risks. 

We also did a mapping to existing Network Security Requirements controls that describe similar compensating controls. Wherever we introduced new controls that do not exist in the current Network Security Requirements, we provided a recommendation for "SHOULD" or "MUST".

You can find this work at the following spreadsheet:

*	https://docs.google.com/spreadsheets/d/16kRPobK31Qb7L4ooq4SJE6K6OmfPOizdtV9M-m475WU

This is not an exhaustive list of threats or vulnerabilities but enough to justify some existing Network Security Requirements and some critical risks. We recommend members to examine this spreadsheet and give us feedback about whether this "threat analysis" approach is useful (or not) and if it should be expanded to the online CA Management Systems as well (or not). We also welcome comments about specific items of the spreadsheet.

We would like 15-20 minutes on tomorrow's call to present the results of our work.

I would like to thank everyone who volunteered to this sub-group and provided their expert opinion. We will leave the sub-group calendar invitation and webex room open for possible future calls, but until we get some feedback from the larger group we consider our work complete at this point. We will also have the opportunity to expand more at the next face-to-face meeting.

Thank you,
Dimitris Zacharopoulos.

Netsec mailing list
Netsec at cabforum.org <mailto:Netsec at cabforum.org> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180227/c0c3dde5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20180227/c0c3dde5/attachment.p7s>

More information about the Netsec mailing list