[cabf_netsec] [EXTERNAL]Re: Definition of "CA Equipment" for BR sec. 5.1

Bruce Morton Bruce.Morton at entrustdatacard.com
Fri May 29 06:34:57 MST 2020

Do we need the definition? I ask, because the CAs already have physical security/access requirements from WebTrust and ETSI without the definition.

WebTrust for CA has the following requirements:
3.4 Physical and Environmental Security
The CA maintains controls to provide reasonable assurance that:

  *   physical access to CA facilities and equipment is limited to authorised individuals, protected through restricted security perimeters, and is operated under multiple person (at least dual custody) control;
  *   CA facilities and equipment are protected from environmental hazards;
  *   loss, damage or compromise of assets and interruption to business activities are prevented; and
  *   compromise of information and information processing facilities is prevented.

EN 319 401 has the following requirements:
7.6 Physical and environmental security
REQ-7.6-01: The TSP shall control physical access to components of the TSP's system whose security is critical to the provision of its trust services and minimize risks related to physical security.
NOTE 1: See clause 11 of ISO/IEC 27002:2013 [i.3] for guidance.
In particular:
• REQ-7.6-02: Physical access to components of the TSP's system whose security is critical to the provision of its trust services shall be limited to authorized individuals.
NOTE 2: Criticality is identified through risk assessment, or through application security requirements, as requiring a security protection.
• REQ-7.6-03: Controls shall be implemented to avoid loss, damage or compromise of assets and interruption to business activities.
• REQ-7.6-04: Controls shall be implemented to avoid compromise or theft of information and information processing facilities.
• REQ-7.6-05: Components that are critical for the secure operation of the trust service shall be located in a protected security perimeter with physical protection against intrusion, controls on access through the security perimeter and alarms to detect intrusion.
NOTE 3: See ISO/IEC 27002:2013 [i.3], clause 11.1 for guidance on secure areas.

From: Netsec <netsec-bounces at cabforum.org> On Behalf Of Neil Dunbar via Netsec
Sent: Friday, May 29, 2020 1:55 AM
To: netsec at cabforum.org
Subject: [EXTERNAL]Re: [cabf_netsec] Definition of "CA Equipment" for BR sec. 5.1

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

How would we approach things like VMs/Containers run by a Cloud provider, but controlled day-to-day by the CA and used in the governance of their CA operations. For instance, a monitor service which is their to check on CRLs/OCSP performance, but for reasons of broad spectrum testing, should _not_ be run inside the CA's normal network of hosts?

Or things like EC2/Linode/GCP hosts which are used to check CAA records? You could do it entirely within your network, of course, but then the spectre of BGP Hijacking comes in to haunt you. I would have thought that such hosts are 100% part of an intuitive notion of "CA Equipment". It's certainly in the logical security controls of the CA, just outside of the physical security controls.

I wish I could come up with a better definition, Ben, but I'm stuck too right now.


On 29/05/2020 06:21, Ben Wilson via Netsec wrote:
As a follow up to discussions today regarding the "zones" ballot and putting physical security requirements into section 5.1 of the BRs, there was a comment to one of the drafts[1] about "CA Equipment", since that term is often used in section 5.1.  I doubt many CAs have defined the term in their CPs or CPSes.  I'm also not sure whether it is defined in audit criteria.

Here is a first stab at defining the term:

CA equipment:  servers (CA, database, CRL, OCSP, www, etc.), load balancers, firewalls, routers, network appliances, security appliances, and other hardware components used in the issuance and management of certificates, but does not include hardware outside the physical security boundary of the CA’s _____ such as CDNs, etc.

Thoughts or suggestions?

[1] https://docs.google.com/document/d/1Zpae_ysYXc7mFLrRaIU5Z9AQ9WsuOHAPWvgTN2kTJ30/edit


Netsec mailing list

Netsec at cabforum.org<mailto:Netsec at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20200529/dad8df95/attachment-0001.html>

More information about the Netsec mailing list