[cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

Ben Wilson ben.wilson at digicert.com
Fri Aug 21 13:24:23 UTC 2015


Thanks for forwarding this Ryan.

 

I cannot speak for what the Forum intended, only what my interpretation is, but I did work on the document.  When we finished up we didn’t receive many comments even though we strongly solicited them.  The thought was that questions like Peter’s would tease out the details that needed more clarification and that we could amend the requirements based on such subsequent comments.  We also have discussed tracking and working on these issues as they come up, either in GitHub or in Bugzilla.

 

1 – Peter wrote, “This would appear to include OCSP responders, systems that store OCSP

responses, and repositories storing CRLs or certificates.   This would

appear to make it very hard to use CDNs, as they are clearly storing

certificate status information but are not in a secure zone.  Is this

the intent?”

 

CDNs are not part of this group of systems with higher security standards because (1) they are republishing status information that is stored elsewhere in other databases, and (2) they would be difficult to include in the scope of CA audits.  That being said, CDNs still need to meet security standards because they provide status information to end users.  One might expect auditors to ask CAs to provide a copy of the CDNs’ SOC 2 / SSAE 16 reports, and that CAs should be requesting copies of those from CDNs on an annual basis. 

 

2  – Peter also wrote, “There is also a requirement around remote administration or access to

certain systems (2.o).  However "remote" is not defined.  Does remote

mean access other than by connecting the system via a local console or

is there another definition of remote?”

 

As was discussed during the time leading up to the finalization of this requirement, some CAs have a remote way of connecting to the CA.  The CA system is usually in a locked cage or vault that is difficult to access physically, because it requires that two people enter the room and stay while operations are being performed.  (In this case, remote does not mean “local console”, as when you are on a private subnet that only connects the CA to the console via a cross-over Ethernet cable.)  However, in most day-to-day operations, a CA is accessed “remotely”, and in that case I think it is pretty obvious that the CA system should not be directly accessible by IP address without an intermediary security access control system.  Some have called such system a “jump host” or a “bastion host.”  That’s what section 2.o explains.

 

Peter, do these answer your questions?  Feel free to ask follow-up questions.

 

Ben

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi
Sent: Thursday, August 20, 2015 10:57 PM
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

 

 

---------- Forwarded message ----------
From: Peter Bowen <pzbowen at gmail.com <mailto:pzbowen at gmail.com> >
Date: Thu, Aug 20, 2015 at 9:17 PM
Subject: [CABFORUM] Questions on the network & certificate system security requirements
To: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >


I've gotten several different interpretations of the network security
requirements that are included in version 2 of the WebTrust SSL
Baseline with Network Security criteria (which are the Network and
Certificate System Security Requirements set forth by the CA/Browser
Forum).  I have two questions:

According to the Requirements, each CA must maintain and protect
Issuing Systems, Certificate Management Systems, and Security Support
Systems in at least a Secure Zone (1.d), ensure that only personnel
assigned to Trusted Roles have access to Secure Zones and High
Security Zones (2.c), and apply the same security controls to all
systems co-located in the same zone with a Certificate System. (1.b).
"Certificate Management Systems" are systems to used process, approve
issuance of, or store certificates or certificate status information,
including the database, database server, and storage.

This would appear to include OCSP responders, systems that store OCSP
responses, and repositories storing CRLs or certificates.   This would
appear to make it very hard to use CDNs, as they are clearly storing
certificate status information but are not in a secure zone.  Is this
the intent?

There is also a requirement around remote administration or access to
certain systems (2.o).  However "remote" is not defined.  Does remote
mean access other than by connecting the system via a local console or
is there another definition of remote?

Thanks,
Peter

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150821/c88ebdbe/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150821/c88ebdbe/attachment-0001.p7s>


More information about the Public mailing list