[cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

Fri Aug 21 19:10:04 UTC 2015

The way this is handled in financial standards is to explicitly state in the requirements that information can be stored or transmitted outside of secure environments as long as it is appropriately protected (confidential information is encrypted and information being relied upon for security decisions is appropriately integrity protected and authenticated).

This is generally all it takes to restore sanity to the interpretation of such requirements, so I'd suggest we do something similar here.

-Tim

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Bruce Morton
Sent: Friday, August 21, 2015 3:00 PM
To: Ben Wilson; Adam Langley
Cc: CABFPub
Subject: Re: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

Ben,

I disagree. We do not need to set security requirements for CDNs.

The CDN and the server providing an OCSP Stapling response are both providing signed responses. These responses are signed similar to the server certificate. If the CDN or server provides a signed response which fails validation then an error will occur per design. As such, it is the signer that must comply with the security requirements.

Bruce.

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Friday, August 21, 2015 1:25 PM
To: Adam Langley <agl at google.com>
Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

It might be good for a working group to write up the security expectations of CDNs based on a threat-risk assessment.

-----Original Message-----
From: Adam Langley [mailto:agl at google.com]
Sent: Friday, August 21, 2015 11:13 AM
To: Ben Wilson <ben.wilson at digicert.com>
Cc: Ryan Sleevi <sleevi at google.com>; CABFPub <public at cabforum.org>; Peter Bowen <pzbowen at gmail.com>
Subject: Re: [cabfpub] Fwd: [CABFORUM] Questions on the network & certificate system security requirements

On Fri, Aug 21, 2015 at 6:24 AM, Ben Wilson <ben.wilson at digicert.com> wrote:
> That being said, CDNs still need to meet security standards because
> they provide status information to end users.  One might expect
> auditors to ask CAs to provide a copy of the CDNs’ SOC 2 / SSAE 16
> reports, and that CAs should be requesting copies of those from CDNs
> on an annual basis.

On that basis, aren't all servers that perform OCSP stapling "provid[ing] status information to end users" and thus subject to the same requirements?

Cheers

AGL
_______________________________________________
Public mailing list
Public at cabforum.org
http://scanmail.trustwave.com/?c=4062&d=4PXX1aDVJulWWe3VtFYJnc7aJpV8QTvFZjY_KhfsBQ&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.