[cabfpub] [Ballot 76] Public Review Draft of CA/Browser Forum Network and Certificate System Security Requirements

Ben Wilson ben at digicert.com
Tue Jun 12 23:35:01 UTC 2012


Ballot 76 to release the draft Security Requirements for public discussion
and comment was approved today with a vote of 11 in favor, none opposed.
The quorum requirement was 8.   I propose that we post the following
announcement to the Mozilla Dev Security Policy mailing list, on the
CA/Browser Forum web site, and elsewhere as appropriate:

12 - June -2012  -- Today, the CA/Browser Forum released a draft "Network
and Certificate System Security Requirements" for public review, comment,
and discussion.  Comments may be submitted through Friday, 22 June 2012, to
questions at cabforum.org, or on the Mozilla Dev-Security-Policy mailing list:
dev-security-policy at lists.mozilla.org.  When commenting, please indicate the
section and subsection, if any, to which your comment is directed and offer
constructive alternative language to resolve your concern whenever possible.

It is anticipated that this document, when adopted, will provide a base
level of network and system security controls that all certification
authorities shall observe when operating as trust anchors in publicly
distributed browser software.  


Scope and Applicability:  These Network and Certificate System Security
Requirements (Requirements) apply to all publicly trusted Certification
Authorities (CAs) and are adopted with the intent that all such CAs and
Delegated Third Parties be audited for conformity with these Requirements
beginning [Date to be Determined] and that they be incorporated as mandatory
requirements (if not already mandatory requirements) in WebTrust for
Certification Authorities v. 2.0,  ETSI 101 456, ETSI TS 102 042, ISO
21188:2006, and subsequent versions, revisions, and implementations thereof,
including the audit schemes that purport to determine conformity therewith.
The CA is responsible for all tasks performed by Delegated Third Parties and
Trusted Roles.  The CA SHALL define, document, and disclose to its auditors
(a) the tasks assigned to Delegated Third Parties or Trusted Roles, and (b)
the arrangements made with Delegated Third parties to ensure compliance with
these Requirements, and (c) the relevant practices implemented by Delegated
Third Parties. 


Each CA or Delegated Third Party SHALL:

a.       Segment Certificate Systems into networks or zones based on their
functional, logical, and physical (including location) relationship;

b.       Apply the same security controls to all systems co-located in the
same zone with a Certificate System;

c.       Maintain Root CA Systems in a High Security Zone and in an offline
state or air-gapped from all other networks;

d.       Maintain and protect Issuing Systems, Certificate Management
Systems, and Security Support Systems in at least a Secure Zone;

e.       Implement and configure Security Support Systems that protect
systems and communications between systems inside Secure Zones and High
Security Zones,  and communications with non-Certificate Systems outside
those zones (including those with organizational business units that do not
provide PKI-related services) and those on public networks;

f.         Configure each network boundary control (firewall, switch,
router, gateway, or other network control device or system) with rules that
support only the services, protocols, ports, and communications that the CA
has identified as necessary to its operations;

g.       Configure Issuing Systems, Certificate Management Systems, Security
Support Systems, and Front-End / Internal-Support Systems by removing or
disabling all accounts, applications, services, protocols, and ports that
are not used in the CA's or Delegated Third Party's operations and allowing
only those that are approved by the CA or Delegated Third Party;

h.       Review changes to configurations of Issuing Systems, Certificate
Management Systems, Security Support Systems, and Front-End /
Internal-Support Systems on at least a weekly basis for compliance with the
CA's security policies;

i.         Grant administration access to Certificate Systems only to
persons acting in Trusted Roles and require their accountability for the
Certificate System's security;

j.         Implement multi-factor  authentication to each Certificate System
that supports multi-factor authentication (but see subsection 2.n.(ii)

k.       Change authentication keys and passwords for privileged accounts
and service accounts on Certificate Systems whenever a person's
authorization to administratively access the Certificate Systems is changed
or revoked; and

l.         Apply recommended security patches to Certificate Systems within
six months of the security patch's availability, unless the CA documents
that the security patch would introduce additional vulnerabilities or
instabilities that outweigh the benefits of applying the security patch .


Each CA or Delegated Third Party SHALL:

a.       Follow a documented procedure for appointing individuals to Trusted
Roles and assigning responsibilities to them;

b.       Document the responsibilities and tasks assigned to Trusted Roles
and implement "separation of duties" for such Trusted Roles based on the
security-related concerns of the functions to be performed;

c.       Ensure that only Trusted Roles have access to Secure Zones and High
Security Zones;

d.       Ensure that a Trusted Role only acts within the scope of such role
when performing administrative tasks assigned to that role;

e.       Require employees and contractors to observe the principle of
"least privilege" when accessing, or when configuring access privileges on,
Certificate Systems;

f.        Require that a Trusted Role use a unique credential created by or
assigned to the Trusted Role to authenticate to Certificate Systems; 

g.       If an authentication control used by a Trusted Role is a used
username and password, then, where technically feasible, implement the
following controls that require passwords:

                                             i.            Have at least
twelve (12) characters; OR

                                           ii.            Have at least
seven (7) characters, be changed at least every 90 days, use a combination
of at least numeric and alphabetic characters, that are not a dictionary
word or on a list of previously disclosed human-generated passwords; and not
one of the user's previous four passwords; OR

                                         iii.            Are created
pursuant to a documented password management and account lockout policy that
the CA has determined provide at least the same amount of protection against
password guessing as either of the foregoing controls. 


h.       Require Trusted Roles to log out of or lock workstations when no
longer in use;

i.         Configure workstations with inactivity time-outs that log the
user off or lock the workstation after a set time of inactivity without
input from the user  (the CA or Delegated Third Party MAY allow a
workstation to remain active and unattended if the workstation is otherwise
secured and running administrative tasks that would be interrupted by an
inactivity time-out or system lock);

j.         Review all system accounts at least quarterly and deactivate any
accounts that are no longer necessary for operations; 

k.       Lockout account access to Certificate Systems after no more than
five (5) failed access attempts, provided that this security measure is
supported by the Certificate System and does not weaken the security of this
authentication control;

l.         Implement a 24-hour process that disables an individual's access
to Certificate Systems  upon termination of the individual's employment or
contracting relationship with the CA or Delegated Third Party;

m.    Enforce multi-factor authentication for administrator access to
Issuing Systems and Certificate Management Systems;

n.       For each Delegated Third Party, (i) require multi-factor
authentication prior to the Delegated Third Party approving issuance of a
Certificate or (ii) implement technical controls that restrict the Delegated
Third Party's ability to approve certificate issuance to a limited set of
domain names;   

o.       Restrict remote administration or access to an Issuing System,
Certificate Management System, or Security Support System except when: (i)
the remote connection originates from a device owned or controlled by the CA
or Delegated Third Party and from a pre-approved external IP address, (ii)
the remote connection is through a temporary, non-persistent encrypted
channel that is  supported by multi-factor authentication, and (iii) the
remote connections is made to a designated intermediary device (a) located
within the CA's network, (b) secured in accordance with these Requirements,
and (c) that mediates the remote connection to the Issuing System; and

p.       Ensure that access to Certificate Systems in High Security Zones
requires the action of multiple individuals performing their Trusted Roles


Certification Authorities and Delegated Third Parties SHALL:

a.       Implement detection and prevention controls to protect Certificate
Systems against viruses and malicious software

b.       Implement a Security Support System that will monitor, detect, and
report any security-related configuration change to Certificate Systems;

c.       Identify those Certificate Systems capable of monitoring and
logging system activity and enable those systems to continuously monitor and
log system activity;

d.       Implement automated mechanisms to process logged system activity
and alert personnel, using notices provided to multiple destinations, of
possible Critical Security Events; 

e.       Require personnel to follow up on notices of possible Critical
Security Events;

f.        Manually review application and system logs on at least a
quarterly basis for anomalous activity and review and validate logging
processes to ensure the proper operation of monitoring, logging, alerting,
and log-integrity-verification functions, and confirm audit log integrity
(the CA or Delegated Third Party MAY use an in-house or third-party audit
log reduction and analysis tool); 

g.       Maintain, archive, and retain logs in accordance with disclosed
business practices and applicable legislation; and

h.       Permit only authorized individuals to retrieve logs and only for
business or security reasons.


Certification Authorities and Delegated Third Parties SHALL:

a.       Document and follow a vulnerability correction process that
addresses the identification, review, response, and remediation of

b.       Undergo or perform a Vulnerability Scan (i) within one week of
receiving a request from the CA/Browser Forum,  (ii) after any system or
network changes that the CA determines are significant, and (iii) at least
once per quarter, on public and private IP addresses identified by the CA or
Delegated Third Party as the CA's or Delegated Third Party's Certificate

c.       Undergo a Penetration Test on the CA's and each Delegated Third
Party's Certificate Systems on at least an annual basis and   after
infrastructure or application upgrades or modifications that the CA
determines are significant;

d.       Record evidence that each Vulnerability Scan and Penetration Test
was performed by a person or entity (or collective group thereof) with the
skills, tools, proficiency, and independence necessary to provide a reliable
Vulnerability Scan or Penetration Test; and

e.       Do one of the following within 96 hours of discovery of a Critical
Vulnerability not previously addressed by the CA's vulnerability correction

                                             i.            Remediate the
Critical Vulnerability;

                                           ii.            If remediation of
the Critical Vulnerability within 96 hours is not possible, create and
implement a plan to mitigate the Critical Vulnerability, giving priority to
(1) vulnerabilities with high CVSS scores, starting with the vulnerabilities
the CA determines are the most critical  (such as those with a CVSS score of
10.0) and (2) systems that lack sufficient compensating controls that, if
the vulnerability were left unmitigated, would allow external system
control, code execution, privilege escalation, or system compromise;  or

                                         iii.            Document the
factual basis for the CA's determination that the vulnerability does not
require remediation because (a) the CA disagrees with the NVD rating, (b)
the identification is a false positive, (c) the exploit of the vulnerability
is prevented by compensating controls or an absence of threats; or (d) other
similar reasons.


Certificate Management System:   A system used by a CA or Delegated Third
Party to process, approve issuance of, or store certificates or certificate
status information, including the database, database server, and storage.

Certificate Systems:  The system used by a CA or Delegated Third Party in
providing identity verification, registration and enrollment, certificate
approval, issuance, validity status, support, and other PKI-related

Common Vulnerability Scoring System (CVSS):  A quantitative model used to
measure the base level severity of a vulnerability.

Critical Security Event:  Detection of an event, a set of circumstances, or
anomalous activity that could lead to a circumvention of a Zone's security
controls or a compromise of a Certificate System's integrity, including
excessive login attempts, attempts to access prohibited resources, DoS/DDoS
attacks, hacker reconnaissance, excessive traffic at unusual hours, signs of
unauthorized access, system intrusion, or an actual compromise of component

Critical Vulnerability:  A system vulnerability that has a CVSS score of 7.0
or higher according to the NVD or an equivalent to such CVSS rating, or as
otherwise designated as a Critical Vulnerability  by the CA or the
CA/Browser Forum.

Delegated Third Party:   As defined in the Baseline Requirements.

Delegated Third Party System: Any part of a Certificate System used by a
Delegated Third Party while performing the functions delegated to it by the

Front End / Infrastructure Support System:  A system with a public IP
address, including a web server, mail server, DNS server, jump host, or
authentication server.  

High Security Zone:  An area where a CA's or Delegated Third Party's Private
Key or cryptographic hardware is located.

Issuing System:  A system used to sign certificates or validity status

National Vulnerability Database (NVD):   A database that includes the Common
Vulnerability Scoring System (CVSS) scores of security-related software
flaws, misconfigurations, and vulnerabilities associated with systems. 

OWASP Top Ten:  A list of application vulnerabilities published by the Open
Web Application Security Project.

Penetration Test:   A process that identifies and attempts to exploit
openings and vulnerabilities on systems through the active use of known
hacker techniques, including the combination of different types of exploits,
with a goal of breaking through layers of defenses and reporting on
unpatched vulnerabilities and system weaknesses. 

Root CA System:  A system used to create a Root Certificate or to generate,
store, or sign with the Private Key associated with a Root Certificate.

SANS Top 25:  A list created with input from the SANS Institute and the
Common Weakness Enumeration (CWE) that identifies the Top 25 Most Dangerous
Software Errors that lead to exploitable vulnerabilities.

Secure Zone:  An area (physical or logical) containing an Issuing System,
Certificate Management System, and Security Support System (and the physical
location of Front-End / Internal-Support Systems). 

Security Support System:   A system used to provide security support
functions, such as authentication, network boundary control, audit logging,
audit log reduction and analysis, vulnerability scanning, and anti-virus.


System:  One or more pieces of equipment or software that stores,
transforms, or communicates data. 

Trusted Role:  An employee or contractor of a CA or Delegated Third Party
who has authorized access to or control over a Secure Zone or High Security

Vulnerability Scan:  A process that uses manual or automated tools to probe
internal and external systems to check and report on the status of operating
systems, services, and devices exposed to the network and the presence of
vulnerabilities listed in the NVD, OWASP Top Ten, or SANS Top 25. 

Zone:  A subset of Certificate Systems created by the logical or physical
partitioning of systems from other Certificate Systems.





Benjamin T. Wilson, JD CISSP 
General Counsel and SVP Industry Relations
DigiCert, Inc.

 <http://www.digicert.com/> Visit DigiCert.com

Online:  <http://www.digicert.com/> www.DigiCert.com
Email:  <mailto:ben at digicert.com> ben at digicert.com
Toll Free: 1-800-896-7973 (US & Canada)
Direct: 1-801-701-9678
Fax: 1-866-842-0223 (Toll Free if calling from the US or Canada) 


The information contained in this transmission may contain privileged and
confidential information. It is intended only for the use of the person(s)
named above. If you are not the intended recipient, you are hereby notified
that any review, dissemination, distribution or duplication of this
communication is strictly prohibited. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of the
original message. Thank You


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120612/3765280f/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2926 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120612/3765280f/attachment-0003.gif>

More information about the Public mailing list