[cabfpub] Remote access clarification

Ryan Sleevi sleevi at google.com
Tue Aug 25 23:24:04 UTC 2015 

Reposting for Peter.
On Aug 25, 2015 4:14 PM, "Peter Bowen" <pzbowen at gmail.com> wrote:

> I'm sure there is a firewall in place, but the requirement is not just
> "proxied" or "firewall", it is multi-factor authentication and is via
> temporary non-persistent encrypted channel.
>
> Or am I not parsing the requirement and the CA can choose to require
> it for only remote administration but not regular access?
>
> On Tue, Aug 25, 2015 at 11:32 AM, Dean Coclin <Dean_Coclin at symantec.com>
> wrote:
> > Couldn’t this “automatic remote access” be proxied such that there is no
> > direct connection from the outside?
> >
> >
> >
> > From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On
> > Behalf Of Ryan Sleevi
> > Sent: Tuesday, August 25, 2015 12:25 PM
> > To: CABFPub
> > Subject: [cabfpub] Remote access clarification
> >
> >
> >
> >
> >
> > ---------- Forwarded message ----------
> > From: Peter Bowen <pzbowen at gmail.com>
> > Date: Mon, Aug 24, 2015 at 3:58 PM
> > Subject: Remote access clarification
> >
> >
> > The Network and Certificate System Security Requirements set forth by
> > the CA/Browser Forum discuss "remote" access to Certificate Management
> > Systems.  Ben Wilson kindly suggested that remote is essentially when
> > the access to the system occurs without needing physical access to the
> > system.  The security requirements say says that remote access must be
> > from a pre-approved IP address, via an intermediary device, and
> > authenticated via multi-factor authentication.
> >
> > I'm having a hard time squaring this with what I've observed.  Most
> > CAs appear to have some sort of web interface or API that allows
> > customers to request certificates containing pre-approved or
> > automatically validated domain names.  The latency from request to
> > receipt of certificates is usually low latency, usually well under 10
> > minutes, and is available around the clock.  This strongly suggests
> > that there is automatic remote access involved.
> >
> > Additionally some CAs offer OCSP service which supports nonces in
> > responses or signed unknown responses for anonymous requests. The
> > response latency is usually a few seconds at most.  This also strongly
> > suggests that there is remote access to the OCSP signing service with
> > no authentication.
> >
> > How does this observed behavior square with the remote access security
> > requirements?
> >
> > Thanks,
> > Peter
> >
> >
> >
> >
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150825/0f498e5f/attachment-0003.html>

More information about the Public mailing list