[cabfpub] Remote access clarification

Dean Coclin Dean_Coclin at symantec.com
Tue Aug 25 11:32:38 MST 2015 

Couldn’t this “automatic remote access” be proxied such that there is no direct connection from the outside?

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Tuesday, August 25, 2015 12:25 PM
To: CABFPub
Subject: [cabfpub] Remote access clarification

 

 

---------- Forwarded message ----------
From: Peter Bowen <pzbowen at gmail.com>
Date: Mon, Aug 24, 2015 at 3:58 PM
Subject: Remote access clarification


The Network and Certificate System Security Requirements set forth by
the CA/Browser Forum discuss "remote" access to Certificate Management
Systems.  Ben Wilson kindly suggested that remote is essentially when
the access to the system occurs without needing physical access to the
system.  The security requirements say says that remote access must be
from a pre-approved IP address, via an intermediary device, and
authenticated via multi-factor authentication.

I'm having a hard time squaring this with what I've observed.  Most
CAs appear to have some sort of web interface or API that allows
customers to request certificates containing pre-approved or
automatically validated domain names.  The latency from request to
receipt of certificates is usually low latency, usually well under 10
minutes, and is available around the clock.  This strongly suggests
that there is automatic remote access involved.

Additionally some CAs offer OCSP service which supports nonces in
responses or signed unknown responses for anonymous requests. The
response latency is usually a few seconds at most.  This also strongly
suggests that there is remote access to the OCSP signing service with
no authentication.

How does this observed behavior square with the remote access security
requirements?

Thanks,
Peter

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150825/280e6889/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150825/280e6889/attachment-0001.bin

More information about the Public mailing list