[cabf_netsec] "Zones" Ballot Endorsers

Ben Wilson bwilson at mozilla.com
Thu Jun 25 08:08:56 MST 2020


Here is the URL with immutable links.
https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:f03fe22df70f4d4ff030c9b07467847dbf40baa8

On Thu, Jun 25, 2020 at 8:53 AM Ben Wilson <bwilson at mozilla.com> wrote:

> Awesome, thanks!
>
> On Thu, Jun 25, 2020 at 8:37 AM Dimitris Zacharopoulos (HARICA) <
> dzacharo at harica.gr> wrote:
>
>>
>>
>> On 2020-06-25 5:21 μ.μ., Ben Wilson wrote:
>>
>> Thanks!  But even with an immutable link, since it is a pull in my
>> repository, do I need to archive it somehow for ballot history? Or does the
>> immutable link take care of that?
>>
>>
>> The immutable link takes care of that. It's global (regardless of your
>> repo or other repos). It's unique to the entire GitHub system
>>
>> Dimitris.
>>
>>
>> On Thu, Jun 25, 2020 at 4:23 AM Dimitris Zacharopoulos (HARICA) <
>> dzacharo at harica.gr> wrote:
>>
>>>
>>>
>>> On 2020-06-25 7:22 π.μ., Ben Wilson wrote:
>>>
>>> I tried to follow it, to a certain extent, but I wasn't sure how to
>>> create the immutable link.  I stopped short of creating a pull request to
>>> the CABF master - it's a pull request to my own master.
>>>
>>>
>>> To find the proper hashes, you look at the last commit from each branch
>>> that you are trying to compare. It took me some time to figure it out
>>> myself :)
>>>
>>> Dimitris.
>>>
>>>
>>>
>>> On Wed, Jun 24, 2020, 10:19 PM Dimitris Zacharopoulos (HARICA) <
>>> dzacharo at harica.gr> wrote:
>>>
>>>>
>>>> Hi Ben,
>>>>
>>>> Did you by any chance follow the process in
>>>> https://wiki.cabforum.org/github_redline_guide? If you did, I'd like
>>>> to know if you found it useful, clear/difficult to follow and so on so we
>>>> can improve it.
>>>>
>>>>
>>>> Thanks,
>>>> Dimitris.
>>>>
>>>> On 2020-06-25 5:09 π.μ., Ben Wilson via Netsec wrote:
>>>>
>>>> Here is the pull request and redlines for this ballot -
>>>> https://github.com/BenWilson-Mozilla/documents/pull/3/files
>>>>
>>>> or here is another comparison link:  https://github.com/cabforum/documents/compare/master...BenWilson-Mozilla:Zones-BR5.1
>>>>
>>>>
>>>> I haven't added in dates or endorsers yet, but here is the draft
>>>> ballot:
>>>> https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing
>>>>
>>>> On Mon, Jun 1, 2020 at 1:11 PM Ben Wilson <bwilson at mozilla.com> wrote:
>>>>
>>>>> This isn't aimed at the Offline CA ballot - it deals with whether we
>>>>> define "CA equipment".  Sorry for the confusion.
>>>>>
>>>>> On Mon, Jun 1, 2020 at 1:05 PM Ponds-White, Trevoli <
>>>>> trevolip at amazon.com> wrote:
>>>>>
>>>>>> Daymion from GoDaddy right? We had cut the scoping definitions out of
>>>>>> a previous ballot because it made it too bloated with different topics and
>>>>>> I thought we decided those should have their own ballot.
>>>>>>
>>>>>>
>>>>>>
>>>>>> How do these changes overlap with the ballot that is clarifying
>>>>>> offline CA requirements?
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* Netsec <netsec-bounces at cabforum.org> *On Behalf Of *Ben
>>>>>> Wilson via Netsec
>>>>>> *Sent:* Monday, June 1, 2020 11:23
>>>>>> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>
>>>>>> *Cc:* CABF Network Security List <netsec at cabforum.org>
>>>>>> *Subject:* RE: [EXTERNAL] [cabf_netsec] [EXTERNAL]Re: "Zones" Ballot
>>>>>> Endorsers
>>>>>>
>>>>>>
>>>>>>
>>>>>> *CAUTION*: This email originated from outside of the organization.
>>>>>> Do not click links or open attachments unless you can confirm the sender
>>>>>> and know the content is safe.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Also, in working on this, I recalled that Daymion when he was at
>>>>>> Google had requested that we define the scope of the requirements.
>>>>>>
>>>>>> Excerpted below:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Add below section to the “Scope and Applicability” to define scope of
>>>>>> PKI Trusted Environment and to read as follows:
>>>>>>
>>>>>>
>>>>>>
>>>>>> The network security requirements apply to all system components
>>>>>> included in or connected to the publicly trusted certificate authority (CA)
>>>>>> environment. The CA environment is comprised of people, processes and
>>>>>> technologies that store, process, or transmit CA data. “System components”
>>>>>> include network devices, servers, hardware security modules (HSM),
>>>>>> computing devices, and applications residing within the CA environment.
>>>>>> Examples of system components include, but are not limited to the following:
>>>>>>
>>>>>>
>>>>>>
>>>>>> a.    Systems that provide security services (for example,
>>>>>> authentication servers), facilitate segmentation (for example, internal
>>>>>> firewalls), or may impact the security of (for example, name resolution or
>>>>>> web redirection servers).
>>>>>>
>>>>>>
>>>>>>
>>>>>> b.    Virtualization components such as virtual machines, virtual
>>>>>> switches/routers, virtual appliances, virtual applications/desktops, and
>>>>>> hypervisors.
>>>>>>
>>>>>>
>>>>>>
>>>>>> c.    Network components including but not limited to firewalls,
>>>>>> switches, routers, network appliances, IPMI remote management cards, HSM
>>>>>> and other security appliances.
>>>>>>
>>>>>>
>>>>>>
>>>>>> d.    Server types including but not limited to web, application,
>>>>>> database, authentication, mail, proxy, Network Time Protocol (NTP), and
>>>>>> Domain Name System (DNS).
>>>>>>
>>>>>>
>>>>>>
>>>>>> e.    Applications including all purchased and custom applications.
>>>>>>
>>>>>>
>>>>>>
>>>>>> f.    Any other component or device located within the CA environment.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, May 28, 2020 at 1:01 PM Ben Wilson <bwilson at mozilla.com>
>>>>>> wrote:
>>>>>>
>>>>>> I'll work on a re-draft, hopefully this afternoon, and re-circulate
>>>>>> it.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, May 28, 2020 at 12:53 PM Bruce Morton <
>>>>>> Bruce.Morton at entrustdatacard.com> wrote:
>>>>>>
>>>>>> I would assume that if we did not amend the BRs, then it would look
>>>>>> like the security requirements were being reduced. So yes, I think that the
>>>>>> BRs should be changed at the same time.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Bruce.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* Ben Wilson <bwilson at mozilla.com>
>>>>>> *Sent:* Thursday, May 28, 2020 2:45 PM
>>>>>> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>
>>>>>> *Cc:* Neil Dunbar <ndunbar at trustcorsystems.com>; CABF Network
>>>>>> Security List <netsec at cabforum.org>
>>>>>> *Subject:* Re: [EXTERNAL]Re: [cabf_netsec] "Zones" Ballot Endorsers
>>>>>>
>>>>>>
>>>>>>
>>>>>> I'm open to discussion on this.  Would we want to amend section 5.1
>>>>>> of the BRs with the same ballot?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, May 28, 2020 at 12:33 PM Bruce Morton <
>>>>>> Bruce.Morton at entrustdatacard.com> wrote:
>>>>>>
>>>>>> Hi Ben,
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks for all the work on this ballot. I am wondering if we should
>>>>>> try to remove physical security and physical access requirements from the
>>>>>> NetSec document. Physical Security requirements could be put into BR 5.1 in
>>>>>> a section called Physical Security Controls.
>>>>>>
>>>>>>
>>>>>>
>>>>>> For instance, item 1.c. states “Maintain Root CA Systems in a
>>>>>> Physically Secure Environment and in an offline state or air-gapped from
>>>>>> all other networks.” This could be changed so that 1.c. states “Maintain
>>>>>> Root CA Systems in an offline state or air-gapped from all other networks”
>>>>>> and BR 5.1 could state “Maintain CA Systems in a physically secure
>>>>>> environment.”
>>>>>>
>>>>>>
>>>>>>
>>>>>> It also seems that now that the old zone definitions have been
>>>>>> combined and now Physically Secure Environment now covers both physical and
>>>>>> logical environments. If we eliminate physical security, then we could just
>>>>>> address logical security which could be better applied to the NetSec
>>>>>> document.
>>>>>>
>>>>>>
>>>>>>
>>>>>> In a future ballot, we might want to push some of the Trusted Role
>>>>>> requirements into BR 5.2.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks, Bruce.
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* Netsec <netsec-bounces at cabforum.org> *On Behalf Of *Neil
>>>>>> Dunbar via Netsec
>>>>>> *Sent:* Tuesday, May 26, 2020 7:42 AM
>>>>>> *To:* netsec at cabforum.org
>>>>>> *Subject:* [EXTERNAL]Re: [cabf_netsec] "Zones" Ballot Endorsers
>>>>>>
>>>>>>
>>>>>>
>>>>>> *WARNING:* This email originated outside of Entrust Datacard.
>>>>>> *DO NOT CLICK* links or attachments unless you trust the sender and
>>>>>> know the content is safe.
>>>>>> ------------------------------
>>>>>>
>>>>>> I'm happy to endorse, Ben. Trev and David also said they would be
>>>>>> good to endorse the ballot.
>>>>>>
>>>>>> Neil
>>>>>>
>>>>>> On 13/05/2020 20:58, Ben Wilson via Netsec wrote:
>>>>>>
>>>>>> I can't remember whether there were people who volunteered to be
>>>>>> endorsers of the "Zones" ballot.
>>>>>>
>>>>>>
>>>>>>
>>>>>> See below:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Ballot and Explanation -
>>>>>> https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing
>>>>>>
>>>>>>
>>>>>>
>>>>>> Redlined version of NCSSRs -
>>>>>> https://drive.google.com/file/d/1n6LPNN0WJY9Cdw5qOl2-fFzQxBiZtw-q/view?usp=sharing
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>>
>>>>>> Netsec mailing list
>>>>>>
>>>>>> Netsec at cabforum.org
>>>>>>
>>>>>> http://cabforum.org/mailman/listinfo/netsec
>>>>>>
>>>>>>
>>>> _______________________________________________
>>>> Netsec mailing listNetsec at cabforum.orghttps://lists.cabforum.org/mailman/listinfo/netsec
>>>>
>>>>
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200625/40fb612b/attachment-0001.html>


More information about the Netsec mailing list