[cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

Fri Aug 21 13:28:17 MST 2015

When I said security, I was thinking of availability, but that would be a contractual issue between the CA and the CDN – right now the requirement in section 4.10.2 is 10 seconds -- “The CA SHALL operate and maintain its CRL and OCSP capability with resources sufficient to provide a response time of ten seconds or less under normal operating conditions.   The CA SHALL maintain an online 24x7 Repository that application software can use to automatically check the current status of all unexpired Certificates issued by the CA.”

From: Erwann Abalea [mailto:eabalea at gmail.com] 
Sent: Friday, August 21, 2015 1:12 PM
To: Bruce Morton <bruce.morton at entrust.com>
Cc: Ben Wilson <ben.wilson at digicert.com>; public at cabforum.org; Adam Langley <agl at google.com>
Subject: Re: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

I agree with Bruce. CDNs can't alter signed objects without being detected, they can only remove/replay/replace them, as any attacker can do. And we can't set security requirements on attackers.

There are also some transparent caches which can be seen as CDNs (mobile telco networks, for example).

What needs to be obviously protected is the unsigned certificate status, stored at the CA database level.

(written while lying in my hammock)

Ben,

I disagree. We do not need to set security requirements for CDNs.

The CDN and the server providing an OCSP Stapling response are both providing signed responses. These responses are signed similar to the server certificate. If the CDN or server provides a signed response which fails validation then an error will occur per design. As such, it is the signer that must comply with the security requirements.

Bruce.

-----Original Message-----
From: public-bounces at cabforum.org <mailto:public-bounces at cabforum.org>  [mailto:public-bounces at cabforum.org <mailto:public-bounces at cabforum.org> ] On Behalf Of Ben Wilson
Sent: Friday, August 21, 2015 1:25 PM
To: Adam Langley <agl at google.com <mailto:agl at google.com> >
Cc: CABFPub <public at cabforum.org <mailto:public at cabforum.org> >
Subject: Re: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

It might be good for a working group to write up the security expectations of CDNs based on a threat-risk assessment.

-----Original Message-----
From: Adam Langley [mailto:agl at google.com <mailto:agl at google.com> ]
Sent: Friday, August 21, 2015 11:13 AM
To: Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com> >
Cc: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >; CABFPub <public at cabforum.org>; Peter Bowen <pzbowen at gmail.com <mailto:pzbowen at gmail.com> >
Subject: Re: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

On Fri, Aug 21, 2015 at 6:24 AM, Ben Wilson <ben.wilson at digicert.com <mailto:ben.wilson at digicert.com> > wrote:
> That being said, CDNs still need to meet security standards because
> they provide status information to end users.  One might expect
> auditors to ask CAs to provide a copy of the CDNs’ SOC 2 / SSAE 16
> reports, and that CAs should be requesting copies of those from CDNs
> on an annual basis.

On that basis, aren't all servers that perform OCSP stapling "provid[ing] status information to end users" and thus subject to the same requirements?

Cheers

AGL
_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150821/9da4b0c7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150821/9da4b0c7/attachment-0001.bin 