[cabf_netsec] Ballot: Security Requirements for Offline CAs

Ben Wilson bwilson at mozilla.com
Mon Jul 27 08:26:48 MST 2020


We need just one more endorser for the Offline CA ballot and then we can
assign a ballot number and start the discussion. Also, I'm not sure whether
Neil has had a chance to talk with Dimitris, but if moving this ballot
forward to voting is still a problem, I'm sure we can work around things
and make progress.

On Sun, Jul 19, 2020 at 3:24 PM Ben Wilson <bwilson at mozilla.com> wrote:

> If we could get a few endorsers, then we could get a Ballot # assigned.
>
> On Mon, Jul 13, 2020 at 9:49 AM Ben Wilson <bwilson at mozilla.com> wrote:
>
>> All,
>> Here is the draft ballot for security requirements for Offline CAs.
>> Please review and let everyone know whether you're willing to sponsor
>> and/or endorse.
>> Thanks,
>> Ben
>>
>> Ballot SC XX: Security Requirements for Offline CA Systems
>>
>> Purpose of the Ballot:
>>
>> Offline CA systems operate differently than online systems and have a
>> different risk profile. While including Offline CA systems, the current
>> Network and Certificate System Security Requirements focus on online
>> systems and contain a number of requirements that are not practical to
>> implement in an offline environment and could increase the risk to an
>> offline environment.
>>
>> As an example, access to offline systems frequently elevates the risk to
>> the environment. A quarterly vulnerability scan in the offline environment
>> is not practical, because there is an increased risk involved with
>> attaching a scanning device to an Offline CA system.
>>
>> This ballot develops a working definition for an “Offline CA System” to
>> allow for a clear delineation between those system components that fall
>> under the “Offline” requirements and those under all other requirements.
>> While this ballot introduces a new section 5, this ballot only makes minor
>> changes to the current requirements by replacing some online requirements
>> with physical security requirements for offline CAs. The new section 5
>> presents logical security requirements in subsections a through m and
>> physical security requirements in subsections p through w. Otherwise, this
>> ballot does not add any new requirements. This will create a separate set
>> of requirements that apply only to Offline CA Systems.
>>
>> These proposed subsections in a new section 5 come from the current
>> NCSSRs as follows:
>>
>>
>> Description
>>
>> Offline
>>
>> Criteria #
>>
>> General
>>
>> Criteria #
>>
>> Logical Security
>>
>>
>> Configuration review
>>
>> 5a
>>
>> 1h
>>
>> Appointing individuals to trusted roles
>>
>> 5b
>>
>> 2a
>>
>> Grant access to offline CAs
>>
>> 5c
>>
>> 1i
>>
>> Document responsibilities of Trusted roles
>>
>> 5d
>>
>> 2b
>>
>> Segregation of duties
>>
>> 5e
>>
>> 2d
>>
>> Require least privileged access for Trusted Roles
>>
>> 5f
>>
>> 2e
>>
>> All access tracked to individual account
>>
>> 5g
>>
>> 2f
>>
>> Password requirements
>>
>> 5h
>>
>> 2gi
>>
>> Review logical access
>>
>> 5i
>>
>> 2j
>>
>> Implement multi-factor access
>>
>> 5j
>>
>> 2m
>>
>> Monitor offline CA systems
>>
>> 5k
>>
>> 3b
>>
>> Review logging integrity
>>
>> 5l
>>
>> 3e
>>
>> Monitor archive and retention of logs
>>
>> 5m
>>
>> 3f
>>
>> Physical Security
>>
>>
>> Grant physical access
>>
>> 5p
>>
>> 1i
>>
>> Multi-person physical access
>>
>> 5q
>>
>> 1j
>>
>> Review physical access
>>
>> 5r
>>
>> 2j
>>
>> Video monitoring
>>
>> 5s
>>
>> 3a
>>
>> Physical access monitoring
>>
>> 5t
>>
>> 3a
>>
>> Review accounts with physical access
>>
>> 5u
>>
>> 2j
>>
>> Monitor retention of physical access of records
>>
>> 5v
>>
>> 3f
>>
>> Review integrity of physical access logs
>>
>> 5w
>>
>> 3e
>>
>> This motion is made by _______ of _______ and endorsed by ________ of
>> _________ and ________ of _________.
>>
>>
>> --- Motion Begins ---
>>
>> That the CA/Browser Forum Server Certificate Working Group adopt the
>> following requirements as amendments to the Network and Certificate System
>> Security Requirements:
>>
>>
>> https://github.com/BenWilson-Mozilla/documents/commit/99ea75f4ad19c58a7f9eb2829e63fb1678a838fa
>>
>>
>> Definitions:
>>
>> ** Offline CA System:** A system that is air-gapped and separated from
>> other systems used by a CA or Delegated Third Party in storing and managing
>> CA private keys and performing signing and logging operations.
>>
>> Requirements:
>>
>> # 5. GENERAL PROTECTIONS FOR OFFLINE CA SYSTEMS
>>
>> This Section 5 separates requirements for Offline CA Systems into two
>> categories--logical security and physical security.
>>
>> Logical Security of Offline CA Systems
>>
>> Certification Authorities and Delegated Third Parties SHALL implement the
>> following controls to ensure the logical security of Offline CA Systems:
>>
>> a.      Review static configurations of Offline CA Systems at least on
>> an annual basis to determine whether any changes violated the CA’s security
>> policies;
>>
>> b.      Follow a documented procedure for appointing individuals to
>> Trusted Roles on Offline CA Systems;
>>
>> c.      Grant logical access to Offline CA Systems only to persons
>> acting in Trusted Roles and require their accountability for the Offline CA
>> System’s security;
>>
>>
>>
>> d.      Document the responsibilities and tasks assigned to Trusted
>> Roles and implement “separation of duties” for such Trusted Roles based on
>> the security-related concerns of the functions to be performed;
>>
>>
>>
>> e.      Ensure that an individual in a Trusted Role acts only within the
>> scope of such role when performing administrative tasks assigned to that
>> role;
>>
>>
>>
>> f.      Require employees and contractors to observe the principle of
>> “least privilege” when accessing, or when configuring access privileges on,
>> Offline CA Systems;
>>
>>
>>
>> g.      Require that all access to systems and offline key material can
>> be traced back to an individual in a Trusted Role (through a combination of
>> recordkeeping, use of logical and physical credentials, authentication
>> factors, video recording, etc.);
>>
>>
>>
>> h.      If an authentication control used by a Trusted Role is a
>> username and password, then, where technically feasible require that
>> passwords have at least twelve (12) characters;
>>
>> i.      Review logical access control lists at least annually and
>> deactivate any accounts that are no longer necessary for operations;
>>
>> j.      Enforce Multi-Factor Authentication OR multi-party
>> authentication for administrator access to Offline CA Systems;
>>
>> k.      Identify those Offline CA Systems capable of monitoring and
>> logging system activity and enable those systems to continuously monitor
>> and log system activity. Back up logs to an external system each time the
>> system is used or on a quarterly basis, whichever is less frequent;
>>
>> l. On a quarterly basis or each time the Offline CA System is used,
>> whichever is less frequent, check the integrity of the logical access
>> logging processes and ensure that logging and log-integrity functions are
>> effective;
>>
>>
>>
>> m. On a quarterly basis or each time the Offline CA System is used,
>> whichever is less frequent, monitor the archival and retention of logical
>> access logs to ensure that logs are retained for the appropriate amount of
>> time in accordance with the disclosed business practices and applicable
>> legislation.
>>
>> n. & o. reserved for future use
>>
>> Physical Security of Offline CA Systems
>>
>> Certification Authorities and Delegated Third Parties SHALL implement the
>> following controls to ensure the physical security of Offline CA Systems:
>>
>> p.      Grant physical access to Offline CA Systems only to persons
>> acting in Trusted Roles and require their accountability for the Offline CA
>> System’s security;
>>
>> q.      Ensure that only personnel assigned to Trusted Roles have
>> physical access to Offline CA Systems and multi-person access controls are
>> enforced at all times;
>>
>> r.      Implement a process that removes physical access of an
>> individual to all Offline CA Systems within twenty four (24) hours upon
>> termination of the individual’s employment or contracting relationship with
>> the CA or Delegated Third Party;
>>
>> s.      Implement video monitoring, intrusion detection, and prevention
>> controls to protect Offline CA Systems against unauthorized physical access
>> attempts;
>>
>> t.      Implement a Security Support System that monitors, detects, and
>> reports any security-related configuration change to the physical access to
>> Offline CA Systems;
>>
>> u.      Review all system accounts on physical access control lists at
>> least every three (3) months and deactivate any accounts that are no longer
>> necessary for operations;
>>
>> v. On a quarterly basis or each time the Offline CA System is used,
>> whichever is less frequent, monitor the archival and retention of the
>> physical access logs to ensure that logs are retained for the appropriate
>> amount of time in accordance with the disclosed business practices and
>> applicable legislation.
>>
>> w. On a quarterly basis or each time the Offline CA System is used,
>> whichever is less frequent, check the integrity of the physical access
>> logging processes and ensure that logging and log-integrity functions are
>> effective.
>>
>>
>> --- Motion Ends ---
>>
>> Discussion Period -
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200727/7657f8d6/attachment-0001.html>


More information about the Netsec mailing list