[cabf_netsec] [EXTERNAL]Re: "Zones" Ballot Endorsers

Ben Wilson bwilson at mozilla.com
Thu May 28 12:01:54 MST 2020


I'll work on a re-draft, hopefully this afternoon, and re-circulate it.

On Thu, May 28, 2020 at 12:53 PM Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:

> I would assume that if we did not amend the BRs, then it would look like
> the security requirements were being reduced. So yes, I think that the BRs
> should be changed at the same time.
>
>
>
> Bruce.
>
>
>
> *From:* Ben Wilson <bwilson at mozilla.com>
> *Sent:* Thursday, May 28, 2020 2:45 PM
> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>
> *Cc:* Neil Dunbar <ndunbar at trustcorsystems.com>; CABF Network Security
> List <netsec at cabforum.org>
> *Subject:* Re: [EXTERNAL]Re: [cabf_netsec] "Zones" Ballot Endorsers
>
>
>
> I'm open to discussion on this.  Would we want to amend section 5.1 of the
> BRs with the same ballot?
>
>
>
> On Thu, May 28, 2020 at 12:33 PM Bruce Morton <
> Bruce.Morton at entrustdatacard.com> wrote:
>
> Hi Ben,
>
>
>
> Thanks for all the work on this ballot. I am wondering if we should try to
> remove physical security and physical access requirements from the NetSec
> document. Physical Security requirements could be put into BR 5.1 in a
> section called Physical Security Controls.
>
>
>
> For instance, item 1.c. states “Maintain Root CA Systems in a Physically
> Secure Environment and in an offline state or air-gapped from all other
> networks.” This could be changed so that 1.c. states “Maintain Root CA
> Systems in an offline state or air-gapped from all other networks” and BR
> 5.1 could state “Maintain CA Systems in a physically secure environment.”
>
>
>
> It also seems that now that the old zone definitions have been combined
> and now Physically Secure Environment now covers both physical and logical
> environments. If we eliminate physical security, then we could just address
> logical security which could be better applied to the NetSec document.
>
>
>
> In a future ballot, we might want to push some of the Trusted Role
> requirements into BR 5.2.
>
>
>
> Thanks, Bruce.
>
>
>
> *From:* Netsec <netsec-bounces at cabforum.org> *On Behalf Of *Neil Dunbar
> via Netsec
> *Sent:* Tuesday, May 26, 2020 7:42 AM
> *To:* netsec at cabforum.org
> *Subject:* [EXTERNAL]Re: [cabf_netsec] "Zones" Ballot Endorsers
>
>
>
> *WARNING:* This email originated outside of Entrust Datacard.
> *DO NOT CLICK* links or attachments unless you trust the sender and know
> the content is safe.
> ------------------------------
>
> I'm happy to endorse, Ben. Trev and David also said they would be good to
> endorse the ballot.
>
> Neil
>
> On 13/05/2020 20:58, Ben Wilson via Netsec wrote:
>
> I can't remember whether there were people who volunteered to be endorsers
> of the "Zones" ballot.
>
>
>
> See below:
>
>
>
> Ballot and Explanation -
> https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing
>
>
>
> Redlined version of NCSSRs -
> https://drive.google.com/file/d/1n6LPNN0WJY9Cdw5qOl2-fFzQxBiZtw-q/view?usp=sharing
>
>
>
> _______________________________________________
>
> Netsec mailing list
>
> Netsec at cabforum.org
>
> http://cabforum.org/mailman/listinfo/netsec
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20200528/ed4f3d42/attachment.html>


More information about the Netsec mailing list