[cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

[Ryan Sleevi]

---------- Forwarded message ----------
From: Peter Bowen <pzbowen at gmail.com>
Date: Thu, Aug 20, 2015 at 9:17 PM
Subject: [CABFORUM] Questions on the network & certificate system security
requirements
To: Ryan Sleevi <sleevi at google.com>


I've gotten several different interpretations of the network security
requirements that are included in version 2 of the WebTrust SSL
Baseline with Network Security criteria (which are the Network and
Certificate System Security Requirements set forth by the CA/Browser
Forum).  I have two questions:

According to the Requirements, each CA must maintain and protect
Issuing Systems, Certificate Management Systems, and Security Support
Systems in at least a Secure Zone (1.d), ensure that only personnel
assigned to Trusted Roles have access to Secure Zones and High
Security Zones (2.c), and apply the same security controls to all
systems co-located in the same zone with a Certificate System. (1.b).
"Certificate Management Systems" are systems to used process, approve
issuance of, or store certificates or certificate status information,
including the database, database server, and storage.

This would appear to include OCSP responders, systems that store OCSP
responses, and repositories storing CRLs or certificates.   This would
appear to make it very hard to use CDNs, as they are clearly storing
certificate status information but are not in a secure zone.  Is this
the intent?

There is also a requirement around remote administration or access to
certain systems (2.o).  However "remote" is not defined.  Does remote
mean access other than by connecting the system via a local console or
is there another definition of remote?

Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150820/013c1565/attachment-0002.html>