[cabf_netsec] Rough Draft of a New Ballot

Ben Wilson benwilsonusa at gmail.com
Mon Mar 9 11:52:51 MST 2020


Here is a first and very rough draft of a new ballot to address concerns
about Sections 1.b, 1.d, 1.e, and 1.f. of the current Network and
Certificate System Security Requirements that we worked on during a call
today of the Document Structure subgroup.  I'll post a response-and-comment
version to the Google repository shortly.

This ballot proposes new language for subsections in Section 5.1 of the
Baseline Requirements and the following modifications to the NCSSRs.

Rationale:  The NCSSRs lack adequate description of physical security and
the Baseline Requirements have the best placeholder, Section 5.1, for
physical security requirements.  The NCSSRs need to be updated for the
following reasons:  (1) to address cloud environments (they are based
currently on outdated architectural assumptions), (2) to remove ambiguity
caused by the use of a single concept “Secure Zone” for two aspects –
physical security and logical security, (3) to add basic requirements
around the concept of physical security, and (4) to fine tune the
implementation of logical security to map risks to protective measures
(current provisions preclude certain design options in the architecture).

A prior assumption of the NCSSRs was that the systems needed protections
specified in the NCSSRs which today can be implemented with other
mechanisms that provide more robust security.



INSERT THE FOLLOWING IN THE BRs:

5.1.1. Site location and construction

CA equipment SHALL be located in an environment that provides physical
security through the use of locked rooms, cages, safes, or cabinets.

5.1.2. Physical access

CA equipment SHALL be protected by physical locks equipped with access
control devices (keys, tokens, biometric readers, and/or access control
lists) that control physical access to CA equipment.

5.1.3. Power and air conditioning

CA equipment SHALL have an Uninterrupted Power Supply sufficient to ensure
the trustworthy shutdown of sensitive operations.

5.1.4. Water exposures

CAs SHALL protect CA equipment from damage due to water exposure.

5.1.5. Fire prevention and protection

CAs SHALL protect CA equipment with adequate fire prevention and protection
mechanisms.

5.1.6. Media storage

Backup media SHALL be stored in a separate location that is physically
secure and protected from environmental or other damage.

5.1.7. Waste disposal

CAs SHALL ensure that sensitive information is shredded or erased before
disposal.

5.1.8. Off-site backup

See Section 5.1.6.



DELETE THE CURRENT LANGUAGE FROM THE NCSSRs:

Apply equivalent security controls to all systems co-located in the same
network with a Certificate System (1.b)

Maintain and protect Issuing Systems, Certificate Management Systems, and
Security Support Systems in at least a Secure Zone (1.d)

Implement and configure Security Support Systems that protect systems and
communications between systems inside Secure Zones and High Security Zones,
and communications with non-Certificate Systems outside those zones
(including those with organizational business units that do not provide
PKI-related services) and those on public networks (1.e)

Configure each network boundary control (firewall, switch, router, gateway,
or other network control device or system) with rules that support only the
services, protocols, ports, and communications that the CA has identified
as necessary to its operations (1.f)

INSERT THE FOLLOWING LANGUAGE IN THE NCSSRs:

Implement controls based on a risk assessment that provide adequate
protection to Issuing CA Systems and Offline CA systems. [Replaces “Apply
equivalent security controls to all systems co-located in the same network
with a Certificate System” (1.b)]

Maintain Issuing Systems, Certificate Management Systems, and Security
Support Systems in a physical location protected by the controls described
in section 5.1 of the Baseline Requirements [Replaces “Maintain and protect
Issuing Systems, Certificate Management Systems, and Security Support
Systems in at least a Secure Zone” (1.d)]

Implement and configure Security Support Systems that protect Certificate
System communications with non-Certificate Systems (including those with
organizational business units that do not provide PKI-related services and
those on public networks)” [Replaces “Implement and configure Security
Support Systems that protect systems and communications between systems
inside Secure Zones and High Security Zones, and communications with
non-Certificate Systems outside those zones (including those with
organizational business units that do not provide PKI-related services) and
those on public networks” (1.e)]

Maintain and implement a process that identifies and approves those
services, protocols, ports, and communications that serve a necessary
purpose.  [Replaces “Configure each network boundary control (firewall,
switch, router, gateway, or other network control device or system) with
rules that support only the services, protocols, ports, and communications
that the CA has identified as necessary to its operations” (1.f)]

(Rationale: In a collocate or similar environment, there might be protocols
that are not under the control of the CA.)


Comments welcome,

Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20200309/62b28ff9/attachment.html>


More information about the Netsec mailing list