[cabf_netsec] Exceptions to NetSec Requirements for Offline Keys

Ben Wilson ben.wilson at digicert.com
Thu Oct 17 08:00:42 MST 2019

Here is a proposal for consideration/discsussion:


The following provisions of the Requirements do not apply to Offline CAs
(because such systems are maintained in an offline state):  


3.1 (Segment Systems), 

3.5 (Implement Network Security Support Systems), 

3.6 (Configure Network boundary controls), 

3.7 (Disable services, protocols, ports), 

3.8 (Remote administration), 

4.5 (Multi-Factor Authentication for external access), 

4.7 (Passwords for external access), 

4.16 (Review system accounts every 3 months), 

5.1 (Review configurations weekly), 

5.2 (monitoring and detection), 

5.4 (automated alerts - except for physical security), 

6.2 (logical intrusion detection and prevention controls), 

6.4 (Vulnerability Scans), 

6.5 (Penetration Tests), and 

6.6 (Qualified vulnerability / penetration tester).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20191017/a64c8d7f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4934 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20191017/a64c8d7f/attachment.p7s>

More information about the Netsec mailing list