[cabfpub] Zones in the NetSec doc

Wayne Thayer wthayer at godaddy.com
Fri Jun 3 03:43:41 UTC 2016


>>The only systems required to be in a High Security Zone are systems used to create a Root Certificate or to generate, store, or sign with the Private Key associated with a Root Certificate, including the cryptographic hardware.

I can agree with your conclusion above, but I think it's confusing to even use the term 'Zone' when referring to root key material that is stored offline and activated in an air gapped environment, while also using the term 'Zone' to refer to a physical or logical network environment housing online systems. I think we should either get rid of the term 'High Security Zone', or apply it to online issuing CAs if there is a desire to segment and/or apply a higher standard to systems used to perform signing operations.

>> There was some thought that the third one might be a little over-broad — for example analyzing audit logs could be done outside of the secure zone or systems in the zone could partially depend on systems outside the zone for authentication (e.g. in a 2FA scenario, the one factor might be managed outside the secure zone).

+1 - audit log analysis should be excluded

Thanks,

Wayne

________________________________________
From: public-bounces at cabforum.org <public-bounces at cabforum.org> on behalf of Peter Bowen <pzb at amzn.com>
Sent: Thursday, June 02, 2016 6:33 PM
To: CABFPub
Subject: Re: [cabfpub] Zones in the NetSec doc

We discussed this some on the Policy WG call today.  I’m going to draft a ballot for a few changes, but wanted to try to get a feeling if I’m headed the right direction.

> On May 25, 2016, at 7:09 PM, Peter Bowen <pzb at amzn.com> wrote:
>
> 1) What is the difference between a “Secure Zone” and a “High Security Zone”?

A “Secure Zone” can have either physical or logical segmentation.  A “High Security Zone” requires physical segmentation.

> 2) What is the difference between a “network” and a “zone”? (cf. 1(a))

As “zone” is lower case in 1(a), there is no difference.  A proposal is to replace “zone” in 1(a) with a similar word such as “domain”.

> 3) Which systems need to be in a High Security Zone?  The definition of HSZ and 1(c) seem to provide two different answers.

The only systems required to be in a High Security Zone are systems used to create a Root Certificate or to generate, store, or sign with the Private Key associated with a Root Certificate, including the cryptographic hardware.

3b) Which systems need to be in a Secure Zone?

Systems used to:
- sign certificates or validity status information
- to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage
- provide security support functions, such as authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and anti-virus

There was some thought that the third one might be a little over-broad — for example analyzing audit logs could be done outside of the secure zone or systems in the zone could partially depend on systems outside the zone for authentication (e.g. in a 2FA scenario, the one factor might be managed outside the secure zone).

> 4) How does this interact with the WebTrust for CAs 2.0 criteria 3.4 "physical access to CA facilities and equipment is limited to authorized individuals, protected through restricted security perimeters, and is operated under multiple person (at least dual custody) control”?

We didn’t cover this at all.

Is this on the right path?

Thanks,
Peter
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public


More information about the Public mailing list