[cabfpub] DRAFT Certificate System Operational Security Requirements

[Jeremy Rowley]

Hi everyone, 

 

Attached is a draft of part two of the Forum's security requirements.  These
requirements ask CA's to consider how management of the CA can impact
security and trust.  Requirements that will eventually become part of the
audit include guidelines on asset protection, certificate system and
operational controls, and software development practices.  The overall goal
of part two is to prevent situations similar to the TurkTrust incident from
re-occurring.  

 

The commentary in the document is only intended to initiate discussion on
the various topics and will be removed prior to adoption. Once these are
adopted, we can work on the final part of the security guidelines,
requirements on a CA's physical security.

 

I look forward to your feedback.

 

Thanks,

Jeremy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130201/1f8214ac/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SecurityGuidelines 2.0.odt
Type: application/vnd.oasis.opendocument.text
Size: 17697 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130201/1f8214ac/attachment-0001.odt 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SecurityGuidelines 2.0.pdf
Type: application/pdf
Size: 122673 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20130201/1f8214ac/attachment-0001.pdf