[cabf_netsec] "Zones" Ballot Endorsers

Ben Wilson bwilson at mozilla.com
Thu Jun 25 14:48:08 MST 2020 

Here is an updated redline based on today's discussion.

https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:edf579f3b15e962720f6741b27bf3fefda88cf00

On Thu, Jun 25, 2020 at 9:08 AM Ben Wilson <bwilson at mozilla.com> wrote:

> Here is the URL with immutable links.
>
> https://github.com/cabforum/documents/compare/095fc4f7992dbd186503a4b0ec4e643ae4ea1624...BenWilson-Mozilla:f03fe22df70f4d4ff030c9b07467847dbf40baa8
>
> On Thu, Jun 25, 2020 at 8:53 AM Ben Wilson <bwilson at mozilla.com> wrote:
>
>> Awesome, thanks!
>>
>> On Thu, Jun 25, 2020 at 8:37 AM Dimitris Zacharopoulos (HARICA) <
>> dzacharo at harica.gr> wrote:
>>
>>>
>>>
>>> On 2020-06-25 5:21 μ.μ., Ben Wilson wrote:
>>>
>>> Thanks!  But even with an immutable link, since it is a pull in my
>>> repository, do I need to archive it somehow for ballot history? Or does the
>>> immutable link take care of that?
>>>
>>>
>>> The immutable link takes care of that. It's global (regardless of your
>>> repo or other repos). It's unique to the entire GitHub system
>>>
>>> Dimitris.
>>>
>>>
>>> On Thu, Jun 25, 2020 at 4:23 AM Dimitris Zacharopoulos (HARICA) <
>>> dzacharo at harica.gr> wrote:
>>>
>>>>
>>>>
>>>> On 2020-06-25 7:22 π.μ., Ben Wilson wrote:
>>>>
>>>> I tried to follow it, to a certain extent, but I wasn't sure how to
>>>> create the immutable link.  I stopped short of creating a pull request to
>>>> the CABF master - it's a pull request to my own master.
>>>>
>>>>
>>>> To find the proper hashes, you look at the last commit from each branch
>>>> that you are trying to compare. It took me some time to figure it out
>>>> myself :)
>>>>
>>>> Dimitris.
>>>>
>>>>
>>>>
>>>> On Wed, Jun 24, 2020, 10:19 PM Dimitris Zacharopoulos (HARICA) <
>>>> dzacharo at harica.gr> wrote:
>>>>
>>>>>
>>>>> Hi Ben,
>>>>>
>>>>> Did you by any chance follow the process in
>>>>> https://wiki.cabforum.org/github_redline_guide? If you did, I'd like
>>>>> to know if you found it useful, clear/difficult to follow and so on so we
>>>>> can improve it.
>>>>>
>>>>>
>>>>> Thanks,
>>>>> Dimitris.
>>>>>
>>>>> On 2020-06-25 5:09 π.μ., Ben Wilson via Netsec wrote:
>>>>>
>>>>> Here is the pull request and redlines for this ballot -
>>>>> https://github.com/BenWilson-Mozilla/documents/pull/3/files
>>>>>
>>>>> or here is another comparison link:  https://github.com/cabforum/documents/compare/master...BenWilson-Mozilla:Zones-BR5.1
>>>>>
>>>>>
>>>>> I haven't added in dates or endorsers yet, but here is the draft
>>>>> ballot:
>>>>> https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing
>>>>>
>>>>> On Mon, Jun 1, 2020 at 1:11 PM Ben Wilson <bwilson at mozilla.com> wrote:
>>>>>
>>>>>> This isn't aimed at the Offline CA ballot - it deals with whether we
>>>>>> define "CA equipment".  Sorry for the confusion.
>>>>>>
>>>>>> On Mon, Jun 1, 2020 at 1:05 PM Ponds-White, Trevoli <
>>>>>> trevolip at amazon.com> wrote:
>>>>>>
>>>>>>> Daymion from GoDaddy right? We had cut the scoping definitions out
>>>>>>> of a previous ballot because it made it too bloated with different topics
>>>>>>> and I thought we decided those should have their own ballot.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> How do these changes overlap with the ballot that is clarifying
>>>>>>> offline CA requirements?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* Netsec <netsec-bounces at cabforum.org> *On Behalf Of *Ben
>>>>>>> Wilson via Netsec
>>>>>>> *Sent:* Monday, June 1, 2020 11:23
>>>>>>> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>
>>>>>>> *Cc:* CABF Network Security List <netsec at cabforum.org>
>>>>>>> *Subject:* RE: [EXTERNAL] [cabf_netsec] [EXTERNAL]Re: "Zones"
>>>>>>> Ballot Endorsers
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *CAUTION*: This email originated from outside of the organization.
>>>>>>> Do not click links or open attachments unless you can confirm the sender
>>>>>>> and know the content is safe.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Also, in working on this, I recalled that Daymion when he was at
>>>>>>> Google had requested that we define the scope of the requirements.
>>>>>>>
>>>>>>> Excerpted below:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Add below section to the “Scope and Applicability” to define scope
>>>>>>> of PKI Trusted Environment and to read as follows:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The network security requirements apply to all system components
>>>>>>> included in or connected to the publicly trusted certificate authority (CA)
>>>>>>> environment. The CA environment is comprised of people, processes and
>>>>>>> technologies that store, process, or transmit CA data. “System components”
>>>>>>> include network devices, servers, hardware security modules (HSM),
>>>>>>> computing devices, and applications residing within the CA environment.
>>>>>>> Examples of system components include, but are not limited to the following:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> a.    Systems that provide security services (for example,
>>>>>>> authentication servers), facilitate segmentation (for example, internal
>>>>>>> firewalls), or may impact the security of (for example, name resolution or
>>>>>>> web redirection servers).
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> b.    Virtualization components such as virtual machines, virtual
>>>>>>> switches/routers, virtual appliances, virtual applications/desktops, and
>>>>>>> hypervisors.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> c.    Network components including but not limited to firewalls,
>>>>>>> switches, routers, network appliances, IPMI remote management cards, HSM
>>>>>>> and other security appliances.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> d.    Server types including but not limited to web, application,
>>>>>>> database, authentication, mail, proxy, Network Time Protocol (NTP), and
>>>>>>> Domain Name System (DNS).
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> e.    Applications including all purchased and custom applications.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> f.    Any other component or device located within the CA
>>>>>>> environment.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, May 28, 2020 at 1:01 PM Ben Wilson <bwilson at mozilla.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> I'll work on a re-draft, hopefully this afternoon, and re-circulate
>>>>>>> it.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, May 28, 2020 at 12:53 PM Bruce Morton <
>>>>>>> Bruce.Morton at entrustdatacard.com> wrote:
>>>>>>>
>>>>>>> I would assume that if we did not amend the BRs, then it would look
>>>>>>> like the security requirements were being reduced. So yes, I think that the
>>>>>>> BRs should be changed at the same time.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Bruce.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* Ben Wilson <bwilson at mozilla.com>
>>>>>>> *Sent:* Thursday, May 28, 2020 2:45 PM
>>>>>>> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>
>>>>>>> *Cc:* Neil Dunbar <ndunbar at trustcorsystems.com>; CABF Network
>>>>>>> Security List <netsec at cabforum.org>
>>>>>>> *Subject:* Re: [EXTERNAL]Re: [cabf_netsec] "Zones" Ballot Endorsers
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I'm open to discussion on this.  Would we want to amend section 5.1
>>>>>>> of the BRs with the same ballot?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, May 28, 2020 at 12:33 PM Bruce Morton <
>>>>>>> Bruce.Morton at entrustdatacard.com> wrote:
>>>>>>>
>>>>>>> Hi Ben,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks for all the work on this ballot. I am wondering if we should
>>>>>>> try to remove physical security and physical access requirements from the
>>>>>>> NetSec document. Physical Security requirements could be put into BR 5.1 in
>>>>>>> a section called Physical Security Controls.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> For instance, item 1.c. states “Maintain Root CA Systems in a
>>>>>>> Physically Secure Environment and in an offline state or air-gapped from
>>>>>>> all other networks.” This could be changed so that 1.c. states “Maintain
>>>>>>> Root CA Systems in an offline state or air-gapped from all other networks”
>>>>>>> and BR 5.1 could state “Maintain CA Systems in a physically secure
>>>>>>> environment.”
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> It also seems that now that the old zone definitions have been
>>>>>>> combined and now Physically Secure Environment now covers both physical and
>>>>>>> logical environments. If we eliminate physical security, then we could just
>>>>>>> address logical security which could be better applied to the NetSec
>>>>>>> document.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> In a future ballot, we might want to push some of the Trusted Role
>>>>>>> requirements into BR 5.2.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks, Bruce.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* Netsec <netsec-bounces at cabforum.org> *On Behalf Of *Neil
>>>>>>> Dunbar via Netsec
>>>>>>> *Sent:* Tuesday, May 26, 2020 7:42 AM
>>>>>>> *To:* netsec at cabforum.org
>>>>>>> *Subject:* [EXTERNAL]Re: [cabf_netsec] "Zones" Ballot Endorsers
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *WARNING:* This email originated outside of Entrust Datacard.
>>>>>>> *DO NOT CLICK* links or attachments unless you trust the sender and
>>>>>>> know the content is safe.
>>>>>>> ------------------------------
>>>>>>>
>>>>>>> I'm happy to endorse, Ben. Trev and David also said they would be
>>>>>>> good to endorse the ballot.
>>>>>>>
>>>>>>> Neil
>>>>>>>
>>>>>>> On 13/05/2020 20:58, Ben Wilson via Netsec wrote:
>>>>>>>
>>>>>>> I can't remember whether there were people who volunteered to be
>>>>>>> endorsers of the "Zones" ballot.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> See below:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Ballot and Explanation -
>>>>>>> https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Redlined version of NCSSRs -
>>>>>>> https://drive.google.com/file/d/1n6LPNN0WJY9Cdw5qOl2-fFzQxBiZtw-q/view?usp=sharing
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>>
>>>>>>> Netsec mailing list
>>>>>>>
>>>>>>> Netsec at cabforum.org
>>>>>>>
>>>>>>> http://cabforum.org/mailman/listinfo/netsec
>>>>>>>
>>>>>>>
>>>>> _______________________________________________
>>>>> Netsec mailing listNetsec at cabforum.orghttps://lists.cabforum.org/mailman/listinfo/netsec
>>>>>
>>>>>
>>>>>
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200625/392871ac/attachment-0001.html>

More information about the Netsec mailing list