[cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

[Bruce Morton]

Ben,

I disagree. We do not need to set security requirements for CDNs.

The CDN and the server providing an OCSP Stapling response are both providing signed responses. These responses are signed similar to the server certificate. If the CDN or server provides a signed response which fails validation then an error will occur per design. As such, it is the signer that must comply with the security requirements.

Bruce.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, August 21, 2015 1:25 PM
To: Adam Langley <agl at google.com>
Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

It might be good for a working group to write up the security expectations of CDNs based on a threat-risk assessment.   

-----Original Message-----
From: Adam Langley [mailto:agl at google.com]
Sent: Friday, August 21, 2015 11:13 AM
To: Ben Wilson <ben.wilson at digicert.com>
Cc: Ryan Sleevi <sleevi at google.com>; CABFPub <public at cabforum.org>; Peter Bowen <pzbowen at gmail.com>
Subject: Re: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

On Fri, Aug 21, 2015 at 6:24 AM, Ben Wilson <ben.wilson at digicert.com> wrote:
> That being said, CDNs still need to meet security standards because 
> they provide status information to end users.  One might expect 
> auditors to ask CAs to provide a copy of the CDNs’ SOC 2 / SSAE 16 
> reports, and that CAs should be requesting copies of those from CDNs 
> on an annual basis.

On that basis, aren't all servers that perform OCSP stapling "provid[ing] status information to end users" and thus subject to the same requirements?


Cheers

AGL