[cabf_netsec] FW: Network Security Policy Update

Daymion T. Reynolds dreynolds at godaddy.com
Thu Apr 18 09:18:27 MST 2019

              I sent this to Ben / Tev yesterday.  Could you review as well and suggest changes?

              I am free to discuss with NetSec today.


From: Daymion T. Reynolds
Sent: Wednesday, April 17, 2019 11:45 AM
To: Ben Wilson <ben.wilson at digicert.com>; Ponds-White, Trevoli <trevolip at amazon.com>
Subject: Network Security Policy Update
Importance: High

              Below is the first rev of the potential scope update to the NSP document.  I have updated the original proposal to include the  newer v1.2 base document.  Attached are the MD files for this change. (Original=NSP.md, Updated= NSR-1.3-Change.md, diff= NSR-1.2-change-diff.md).  Where would you like for me to submit the attachments for others to review?

What changes, rewording etc would you suggest?

Thank you for considering and reviewing the below proposal.



This ballot modifies the "Network Security Policy" as follows, based on Version 1.2:

Add below section to the "Scope and Applicability" to define scope of PKI Trusted Environment and to read as follows:

The network security requirements apply to all system components included in or connected to the publicly trusted certificate authority(CA) environment. The CA environment is comprised of people, processes and technologies that store, process, or transmit CA data. "System components" include network devices, servers, hardware security modules(HSM), computing devices, and applications residing within the CA environment. Examples of system components include, but are not limited to the following:

a.    Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers).

b.    Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.

c.    Network components including but not limited to firewalls, switches, routers, network appliances, HSM and other security appliances.

d.    Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).

e.    Applications including all purchased and custom applications.

f.    Any other component or device located within the CA environment.

To be considered out of scope for CA environment, a system component must be properly isolated (segmented) from the CA environment, such that even if the out-of-scope system component was compromised it could not impact the security of the CA environment.

Modify glossary to contain definitions for the following:

**Certificate Authority Environment:** The area where certificates are generated, and stored for later transmission to the requester.

**Connected To:** Components within the certificate authority environment which exchange data.

When Ballot SCX is finalized, this ballot shall define the scope of the trusted environment for network security requirements.


A comparison of the changes can be found at: TBD

The procedure for approval of this ballot is as follows:

Discussion (7 days)

Start Time: TBD

End Time: TBD

Vote for approval (7 days)

Start Time: TBD

End Time: TBD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20190418/74f5d170/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NSR-1.3-Change.md
Type: application/octet-stream
Size: 20045 bytes
Desc: NSR-1.3-Change.md
URL: <http://cabforum.org/pipermail/netsec/attachments/20190418/74f5d170/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NSR.md
Type: application/octet-stream
Size: 18146 bytes
Desc: NSR.md
URL: <http://cabforum.org/pipermail/netsec/attachments/20190418/74f5d170/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NSR-1.2-change-diff.md
Type: application/octet-stream
Size: 11945 bytes
Desc: NSR-1.2-change-diff.md
URL: <http://cabforum.org/pipermail/netsec/attachments/20190418/74f5d170/attachment-0005.obj>

More information about the Netsec mailing list