[cabf_netsec] Definition of "CA Equipment" for BR sec. 5.1

Neil Dunbar ndunbar at trustcorsystems.com
Thu May 28 22:54:45 MST 2020

How would we approach things like VMs/Containers run by a Cloud
provider, but controlled day-to-day by the CA and used in the governance
of their CA operations. For instance, a monitor service which is their
to check on CRLs/OCSP performance, but for reasons of broad spectrum
testing, should _not_ be run inside the CA's normal network of hosts?

Or things like EC2/Linode/GCP hosts which are used to check CAA records?
You could do it entirely within your network, of course, but then the
spectre of BGP Hijacking comes in to haunt you. I would have thought
that such hosts are 100% part of an intuitive notion of "CA Equipment".
It's certainly in the logical security controls of the CA, just outside
of the physical security controls.

I wish I could come up with a better definition, Ben, but I'm stuck too
right now.



On 29/05/2020 06:21, Ben Wilson via Netsec wrote:
> As a follow up to discussions today regarding the "zones" ballot and
> putting physical security requirements into section 5.1 of the BRs,
> there was a comment to one of the drafts[1] about "CA Equipment",
> since that term is often used in section 5.1.  I doubt many CAs have
> defined the term in their CPs or CPSes.  I'm also not sure whether it
> is defined in audit criteria. 
> Here is a first stab at defining the term:
> CA equipment:  servers (CA, database, CRL, OCSP, www, etc.), load
> balancers, firewalls, routers, network appliances, security
> appliances, and other hardware components used in the issuance and
> management of certificates, but does not include hardware outside the
> physical security boundary of the CA’s _____ such as CDNs, etc.
> Thoughts or suggestions?
> [1]
> https://docs.google.com/document/d/1Zpae_ysYXc7mFLrRaIU5Z9AQ9WsuOHAPWvgTN2kTJ30/edit
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20200529/d76b7716/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1774 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20200529/d76b7716/attachment-0001.bin>

More information about the Netsec mailing list