[cabfpub] Remote access clarification
Ryan Sleevi
sleevi at google.com
Tue Aug 25 16:25:24 UTC 2015
---------- Forwarded message ----------
From: Peter Bowen <pzbowen at gmail.com>
Date: Mon, Aug 24, 2015 at 3:58 PM
Subject: Remote access clarification
The Network and Certificate System Security Requirements set forth by
the CA/Browser Forum discuss "remote" access to Certificate Management
Systems. Ben Wilson kindly suggested that remote is essentially when
the access to the system occurs without needing physical access to the
system. The security requirements say says that remote access must be
from a pre-approved IP address, via an intermediary device, and
authenticated via multi-factor authentication.
I'm having a hard time squaring this with what I've observed. Most
CAs appear to have some sort of web interface or API that allows
customers to request certificates containing pre-approved or
automatically validated domain names. The latency from request to
receipt of certificates is usually low latency, usually well under 10
minutes, and is available around the clock. This strongly suggests
that there is automatic remote access involved.
Additionally some CAs offer OCSP service which supports nonces in
responses or signed unknown responses for anonymous requests. The
response latency is usually a few seconds at most. This also strongly
suggests that there is remote access to the OCSP signing service with
no authentication.
How does this observed behavior square with the remote access security
requirements?
Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150825/ad320795/attachment-0002.html>
More information about the Public
mailing list