[cabf_netsec] "Zones" Ballot Endorsers

Ben Wilson bwilson at mozilla.com
Wed Jun 24 19:09:27 MST 2020


Here is the pull request and redlines for this ballot -
https://github.com/BenWilson-Mozilla/documents/pull/3/files

or here is another comparison link:
https://github.com/cabforum/documents/compare/master...BenWilson-Mozilla:Zones-BR5.1


I haven't added in dates or endorsers yet, but here is the draft ballot:
https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing

On Mon, Jun 1, 2020 at 1:11 PM Ben Wilson <bwilson at mozilla.com> wrote:

> This isn't aimed at the Offline CA ballot - it deals with whether we
> define "CA equipment".  Sorry for the confusion.
>
> On Mon, Jun 1, 2020 at 1:05 PM Ponds-White, Trevoli <trevolip at amazon.com>
> wrote:
>
>> Daymion from GoDaddy right? We had cut the scoping definitions out of a
>> previous ballot because it made it too bloated with different topics and I
>> thought we decided those should have their own ballot.
>>
>>
>>
>> How do these changes overlap with the ballot that is clarifying offline
>> CA requirements?
>>
>>
>>
>> *From:* Netsec <netsec-bounces at cabforum.org> *On Behalf Of *Ben Wilson
>> via Netsec
>> *Sent:* Monday, June 1, 2020 11:23
>> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>
>> *Cc:* CABF Network Security List <netsec at cabforum.org>
>> *Subject:* RE: [EXTERNAL] [cabf_netsec] [EXTERNAL]Re: "Zones" Ballot
>> Endorsers
>>
>>
>>
>> *CAUTION*: This email originated from outside of the organization. Do
>> not click links or open attachments unless you can confirm the sender and
>> know the content is safe.
>>
>>
>>
>> Also, in working on this, I recalled that Daymion when he was at Google
>> had requested that we define the scope of the requirements.
>>
>> Excerpted below:
>>
>>
>>
>> Add below section to the “Scope and Applicability” to define scope of PKI
>> Trusted Environment and to read as follows:
>>
>>
>>
>> The network security requirements apply to all system components included
>> in or connected to the publicly trusted certificate authority (CA)
>> environment. The CA environment is comprised of people, processes and
>> technologies that store, process, or transmit CA data. “System components”
>> include network devices, servers, hardware security modules (HSM),
>> computing devices, and applications residing within the CA environment.
>> Examples of system components include, but are not limited to the following:
>>
>>
>>
>> a.    Systems that provide security services (for example, authentication
>> servers), facilitate segmentation (for example, internal firewalls), or may
>> impact the security of (for example, name resolution or web redirection
>> servers).
>>
>>
>>
>> b.    Virtualization components such as virtual machines, virtual
>> switches/routers, virtual appliances, virtual applications/desktops, and
>> hypervisors.
>>
>>
>>
>> c.    Network components including but not limited to firewalls,
>> switches, routers, network appliances, IPMI remote management cards, HSM
>> and other security appliances.
>>
>>
>>
>> d.    Server types including but not limited to web, application,
>> database, authentication, mail, proxy, Network Time Protocol (NTP), and
>> Domain Name System (DNS).
>>
>>
>>
>> e.    Applications including all purchased and custom applications.
>>
>>
>>
>> f.    Any other component or device located within the CA environment.
>>
>>
>>
>> On Thu, May 28, 2020 at 1:01 PM Ben Wilson <bwilson at mozilla.com> wrote:
>>
>> I'll work on a re-draft, hopefully this afternoon, and re-circulate it.
>>
>>
>>
>> On Thu, May 28, 2020 at 12:53 PM Bruce Morton <
>> Bruce.Morton at entrustdatacard.com> wrote:
>>
>> I would assume that if we did not amend the BRs, then it would look like
>> the security requirements were being reduced. So yes, I think that the BRs
>> should be changed at the same time.
>>
>>
>>
>> Bruce.
>>
>>
>>
>> *From:* Ben Wilson <bwilson at mozilla.com>
>> *Sent:* Thursday, May 28, 2020 2:45 PM
>> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>
>> *Cc:* Neil Dunbar <ndunbar at trustcorsystems.com>; CABF Network Security
>> List <netsec at cabforum.org>
>> *Subject:* Re: [EXTERNAL]Re: [cabf_netsec] "Zones" Ballot Endorsers
>>
>>
>>
>> I'm open to discussion on this.  Would we want to amend section 5.1 of
>> the BRs with the same ballot?
>>
>>
>>
>> On Thu, May 28, 2020 at 12:33 PM Bruce Morton <
>> Bruce.Morton at entrustdatacard.com> wrote:
>>
>> Hi Ben,
>>
>>
>>
>> Thanks for all the work on this ballot. I am wondering if we should try
>> to remove physical security and physical access requirements from the
>> NetSec document. Physical Security requirements could be put into BR 5.1 in
>> a section called Physical Security Controls.
>>
>>
>>
>> For instance, item 1.c. states “Maintain Root CA Systems in a Physically
>> Secure Environment and in an offline state or air-gapped from all other
>> networks.” This could be changed so that 1.c. states “Maintain Root CA
>> Systems in an offline state or air-gapped from all other networks” and BR
>> 5.1 could state “Maintain CA Systems in a physically secure environment.”
>>
>>
>>
>> It also seems that now that the old zone definitions have been combined
>> and now Physically Secure Environment now covers both physical and logical
>> environments. If we eliminate physical security, then we could just address
>> logical security which could be better applied to the NetSec document.
>>
>>
>>
>> In a future ballot, we might want to push some of the Trusted Role
>> requirements into BR 5.2.
>>
>>
>>
>> Thanks, Bruce.
>>
>>
>>
>> *From:* Netsec <netsec-bounces at cabforum.org> *On Behalf Of *Neil Dunbar
>> via Netsec
>> *Sent:* Tuesday, May 26, 2020 7:42 AM
>> *To:* netsec at cabforum.org
>> *Subject:* [EXTERNAL]Re: [cabf_netsec] "Zones" Ballot Endorsers
>>
>>
>>
>> *WARNING:* This email originated outside of Entrust Datacard.
>> *DO NOT CLICK* links or attachments unless you trust the sender and know
>> the content is safe.
>> ------------------------------
>>
>> I'm happy to endorse, Ben. Trev and David also said they would be good to
>> endorse the ballot.
>>
>> Neil
>>
>> On 13/05/2020 20:58, Ben Wilson via Netsec wrote:
>>
>> I can't remember whether there were people who volunteered to be
>> endorsers of the "Zones" ballot.
>>
>>
>>
>> See below:
>>
>>
>>
>> Ballot and Explanation -
>> https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing
>>
>>
>>
>> Redlined version of NCSSRs -
>> https://drive.google.com/file/d/1n6LPNN0WJY9Cdw5qOl2-fFzQxBiZtw-q/view?usp=sharing
>>
>>
>>
>> _______________________________________________
>>
>> Netsec mailing list
>>
>> Netsec at cabforum.org
>>
>> http://cabforum.org/mailman/listinfo/netsec
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200624/aaea28b2/attachment.html>


More information about the Netsec mailing list