[cabfpub] Ballot 170 - Amend Section 5.1 of Baseline Requirements

陳立群 realsky at cht.com.tw
Thu Jun 16 01:03:17 UTC 2016

Chunghwa Telecom Co., Ltd.  votes “Yes” 


Sincerely Yours,


                    Li-Chun CHEN

                    Senior Engineer

                    CISSP, CISA, CISM, PMP,

                    Information & Communication Security Dept.

                    Data Communication Business Group

                    Chunghwa Telecom Co. Ltd.

                    realsky at cht.com.tw




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Friday, June 03, 2016 4:04 AM
Subject: [cabfpub] Ballot 170 - Amend Section 5.1 of Baseline Requirements


Ballot 170 - Amend Section 5.1 of Baseline Requirements 

The Policy Review Working Group has reviewed Section 5.1 of the Baseline
Requirements and, as a result, suggests that certain changes be made.
Therefore, the following motion has been proposed by Ben Wilson of DigiCert
and endorsed by Robin Alden of Comodo and Li-Chun CHEN of Chunghwa Telecom: 


In Section 5.1.1 Site location and construction add: 

The location and construction of the facilities housing the CA and RA
equipment SHALL be consistent with facilities used to house high-value,
sensitive information. The site location and construction, when combined
with other physical security protection mechanisms such as guards, high
security locks, and intrusion sensors, SHALL provide robust protection
against unauthorized access to the CA equipment and records. 

In Section 5.1.2 Physical access add: 

CAs SHALL maintain controls to provide reasonable assurance that: physical
access to CA facilities and equipment is limited to authorized individuals,
protected through restricted security perimeters, and is operated under
multiple person (at least dual custody) control; CA facilities and equipment
are protected from environmental hazards; loss, damage or compromise of
assets and interruption to business activities are prevented; and compromise
of information and information processing facilities is prevented. 

In Section 5.1.3 Power and air conditioning add: 

The CA SHALL have backup power capability sufficient to lock out input,
finish any pending actions, and record the state of the equipment
automatically before lack of power or air conditioning causes a shutdown.
The backup power capabilities SHALL support the availability requirements of
Section 4.10.2. 

In Section 5.1.4 Water exposures add: 

CA equipment SHALL be installed such that it is not in danger of exposure to
water (e.g., on tables or elevated floors). Potential water damage from fire
prevention and protection measures (e.g., sprinkler systems) SHOULD be

In Section 5.1.5 Fire prevention and protection add: 

The CA SHALL comply with local commercial building codes for fire prevention
and protection. 

In Section 5.1.6 Media storage add: 

Media SHALL be stored so as to protect it from accidental damage (water,
fire, electromagnetic) and unauthorized physical access. Media not required
for daily operation or not required by policy to remain with the CA or RA
that contains security audit, archive, or backup information SHALL be stored
securely in a location separate from the CA or RA equipment. 

Media containing private key material SHALL be handled, packaged, and stored
in a manner compliant with the requirements for the sensitivity level of the
information it protects or to which it provides access. Storage protection
of CA and RA private key material SHALL be consistent with stipulations in
Section 5.1.2. 

In Section 5.1.7 Waste disposal add: 

Sensitive media and documentation that are no longer needed for operations
SHALL be destroyed in a secure manner. For example, sensitive paper
documentation shall be shredded, burned, or otherwise rendered

In Section 5.1.8 Off-site backup add: 

The purpose of an off-site backup is to recover from system failure
resulting from damage to the equipment or similar causes. For components of
the Certificate System operated in an online fashion, any backup necessary
to recover from system failure SHALL be made at least once per week or so
that no changes made prior to the last week might be lost. Root CA Systems
and other components operated in an offline fashion SHALL be backed up prior
to taking them offline. Only the latest backup needs to be retained. The
backup SHALL be stored at a separate site with physical and procedural
controls sufficient to protect the confidentiality, integrity, and
availability of the information backed up. 


The review period for this ballot shall commence at 2200 UTC on 2 June 2016,
and will close at 2200 UTC on 9 June 2016. Unless the motion is withdrawn
during the review period, the voting period will start immediately
thereafter and will close at 2200 UTC on 16 June 2016. Votes must be cast by
posting an on-list reply to this thread. 

A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: https://cabforum.org/members/ 

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and greater than 50% of the votes cast by
members in the browser category must be in favor. Quorum is currently ten
(10) members– at least ten members must participate in the ballot, either
by voting in favor, voting against, or abstaining. 


本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160616/a7763d7a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6665 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160616/a7763d7a/attachment-0001.p7s>

More information about the Public mailing list