[cabfpub] Zones in the NetSec doc

Peter Bowen pzb at amzn.com
Fri Jun 3 01:33:23 UTC 2016

We discussed this some on the Policy WG call today.  I’m going to draft a ballot for a few changes, but wanted to try to get a feeling if I’m headed the right direction.

> On May 25, 2016, at 7:09 PM, Peter Bowen <pzb at amzn.com> wrote:
> 1) What is the difference between a “Secure Zone” and a “High Security Zone”?

A “Secure Zone” can have either physical or logical segmentation.  A “High Security Zone” requires physical segmentation.

> 2) What is the difference between a “network” and a “zone”? (cf. 1(a))

As “zone” is lower case in 1(a), there is no difference.  A proposal is to replace “zone” in 1(a) with a similar word such as “domain”.

> 3) Which systems need to be in a High Security Zone?  The definition of HSZ and 1(c) seem to provide two different answers.

The only systems required to be in a High Security Zone are systems used to create a Root Certificate or to generate, store, or sign with the Private Key associated with a Root Certificate, including the cryptographic hardware.

3b) Which systems need to be in a Secure Zone?

Systems used to:
- sign certificates or validity status information
- to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage
- provide security support functions, such as authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and anti-virus

There was some thought that the third one might be a little over-broad — for example analyzing audit logs could be done outside of the secure zone or systems in the zone could partially depend on systems outside the zone for authentication (e.g. in a 2FA scenario, the one factor might be managed outside the secure zone).

> 4) How does this interact with the WebTrust for CAs 2.0 criteria 3.4 "physical access to CA facilities and equipment is limited to authorized individuals, protected through restricted security perimeters, and is operated under multiple person (at least dual custody) control”?

We didn’t cover this at all.

Is this on the right path?


More information about the Public mailing list