[cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

[Bruce Morton]

I don’t think there is an issue with using CDNs to provide CRL and OCSP responses. The CDN would have responses which were signed by the CA. The CDN does not have to make the signature, just provide the signed response. I think this is very similar to OCSP Stapling, where server does not sign the OCSP response, but just serve it.

Of course if the signed response is compromised, then the verification would fail, per design.

Bruce.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Friday, August 21, 2015 12:57 AM
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements


---------- Forwarded message ----------
From: Peter Bowen <pzbowen at gmail.com<mailto:pzbowen at gmail.com>>
Date: Thu, Aug 20, 2015 at 9:17 PM
Subject: [CABFORUM] Questions on the network & certificate system security requirements
To: Ryan Sleevi <sleevi at google.com<mailto:sleevi at google.com>>


I've gotten several different interpretations of the network security
requirements that are included in version 2 of the WebTrust SSL
Baseline with Network Security criteria (which are the Network and
Certificate System Security Requirements set forth by the CA/Browser
Forum).  I have two questions:

According to the Requirements, each CA must maintain and protect
Issuing Systems, Certificate Management Systems, and Security Support
Systems in at least a Secure Zone (1.d), ensure that only personnel
assigned to Trusted Roles have access to Secure Zones and High
Security Zones (2.c), and apply the same security controls to all
systems co-located in the same zone with a Certificate System. (1.b).
"Certificate Management Systems" are systems to used process, approve
issuance of, or store certificates or certificate status information,
including the database, database server, and storage.

This would appear to include OCSP responders, systems that store OCSP
responses, and repositories storing CRLs or certificates.   This would
appear to make it very hard to use CDNs, as they are clearly storing
certificate status information but are not in a secure zone.  Is this
the intent?

There is also a requirement around remote administration or access to
certain systems (2.o).  However "remote" is not defined.  Does remote
mean access other than by connecting the system via a local console or
is there another definition of remote?

Thanks,
Peter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150821/aef30e9b/attachment-0003.html>