[cabf_netsec] Threat model for "Root CA System" is ready for discussion

Dimitris Zacharopoulos jimmy at it.auth.gr
Sat Mar 3 08:48:12 MST 2018

On 27/2/2018 9:27 μμ, Tim Hollebeek wrote:
> Looks good to me.  At the very least it will provoke an interesting 
> discussion about whether this is how we want to continue to move forward.

I added some colors 
on the proposed mandatory (MUST/SHALL) compensating controls, based on 
how likely they are to be adopted and accepted by members.

Feel free to comment and propose color changes if you think some "green" 
proposals should be changed to "yellow".


> -Tim
> *From:*Netsec [mailto:netsec-bounces at cabforum.org] *On Behalf Of 
> *Dimitris Zacharopoulos via Netsec
> *Sent:* Tuesday, February 27, 2018 12:22 PM
> *To:* netsec at cabforum.org
> *Subject:* Re: [cabf_netsec] Threat model for "Root CA System" is 
> ready for discussion
> Following-up on this topic, I created a short presentation for the F2F 
> to discuss the results of the Threat Analysis approach.
> If anyone wants to suggest improvements, please do so either privately 
> or on this list.
> Thank you,
> Dimitris.
> On 14/2/2018 7:29 μμ, Dimitris Zacharopoulos via Netsec wrote:
>     Dear NetSec WG members,
>     The Network Security sub-group that worked towards a "Threat
>     Analysis for a Root CA System" has completed its work. We examined
>     threats and vulnerabilities in Root CA Management Systems and
>     recommended compensating controls to minimize these risks.
>     We also did a mapping to existing Network Security Requirements
>     controls that describe similar compensating controls. Wherever we
>     introduced new controls that do not exist in the current Network
>     Security Requirements, we provided a recommendation for "SHOULD"
>     or "MUST".
>     You can find this work at the following spreadsheet:
>       * https://docs.google.com/spreadsheets/d/16kRPobK31Qb7L4ooq4SJE6K6OmfPOizdtV9M-m475WU
>         <https://clicktime.symantec.com/a/1/SJ6PPN9a7eJEjCYwg_LX93NrZU2N567xclcgqJegWPY=?d=rF-t6Ua7Ge2-B8MpqPiexsASRbbcot2CIh5JXTtH1G-pNKtdPIPD1zPpsZwWxsXMCYp4zYU9YATujMRA2j3ht7gPYqZqFFZjK2OJyi_M8C5sWNAXWhrfLb1U4pQuSzC6ITzh1ro3EjMyp-_Jkm5mDudkyxS8aLKQ76je6US6lccst84DcJpCTzcxK8ghG-4YStvrLnZ08RMb0FgMlE8QvFnVpePFZgcjfk_fGNGoBiRpRY8SzJVfm5tDFdb_UpqLACpYiHW7hI1WrXWblVh92Mj6tI_PYU8ao_uwJ2g-6h65U_AS7KaepTrLUKMm8zV3z6QCHWvOaRbyN_j1H0oyDfqr4fWaX06KWAnWrQwIR77o_KGaUru-DiGEsuSf241S83fuO1-qcZOjptxtSuGOCD8Kz-kcj2mRKHmIAbsloJwWfH1auITFEP1oaCkxDaA%3D&u=https%3A%2F%2Fdocs.google.com%2Fspreadsheets%2Fd%2F16kRPobK31Qb7L4ooq4SJE6K6OmfPOizdtV9M-m475WU>
>     This is not an exhaustive list of threats or vulnerabilities but
>     enough to justify some existing Network Security Requirements and
>     some critical risks. We recommend members to examine this
>     spreadsheet and give us feedback about whether this "threat
>     analysis" approach is useful (or not) and if it should be expanded
>     to the online CA Management Systems as well (or not). We also
>     welcome comments about specific items of the spreadsheet.
>     We would like 15-20 minutes on tomorrow's call to present the
>     results of our work.
>     I would like to thank everyone who volunteered to this sub-group
>     and provided their expert opinion. We will leave the sub-group
>     calendar invitation and webex room open for possible future calls,
>     but until we get some feedback from the larger group we consider
>     our work complete at this point. We will also have the opportunity
>     to expand more at the next face-to-face meeting.
>     Thank you,
>     Dimitris Zacharopoulos.
>     _______________________________________________
>     Netsec mailing list
>     Netsec at cabforum.org <mailto:Netsec at cabforum.org>
>     http://cabforum.org/mailman/listinfo/netsec
>     <https://clicktime.symantec.com/a/1/57VetFto0G2v2ib7iTcJdTx_GCfP8eC4bjidSOCC4xA=?d=rF-t6Ua7Ge2-B8MpqPiexsASRbbcot2CIh5JXTtH1G-pNKtdPIPD1zPpsZwWxsXMCYp4zYU9YATujMRA2j3ht7gPYqZqFFZjK2OJyi_M8C5sWNAXWhrfLb1U4pQuSzC6ITzh1ro3EjMyp-_Jkm5mDudkyxS8aLKQ76je6US6lccst84DcJpCTzcxK8ghG-4YStvrLnZ08RMb0FgMlE8QvFnVpePFZgcjfk_fGNGoBiRpRY8SzJVfm5tDFdb_UpqLACpYiHW7hI1WrXWblVh92Mj6tI_PYU8ao_uwJ2g-6h65U_AS7KaepTrLUKMm8zV3z6QCHWvOaRbyN_j1H0oyDfqr4fWaX06KWAnWrQwIR77o_KGaUru-DiGEsuSf241S83fuO1-qcZOjptxtSuGOCD8Kz-kcj2mRKHmIAbsloJwWfH1auITFEP1oaCkxDaA%3D&u=http%3A%2F%2Fcabforum.org%2Fmailman%2Flistinfo%2Fnetsec>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180303/66b7ccfa/attachment.html>

More information about the Netsec mailing list