[cabfpub] Zones in the NetSec doc

Peter Bowen pzb at amzn.com
Thu May 26 02:09:30 UTC 2016

I was late to the Network and Certificate System Security (NetSec) Requirements discussion today, so didn’t get a chance to ask about Zones.  From my reading, the NetSec requirements  are somewhat contradictory and confusing when it comes to “zones”.  I’m hoping that the Forum will consider revising them to give clarity to the requirements.

In the definitions section, one finds the following:

Zone: A subset of Certificate Systems created by the logical or physical partitioning of systems from other Certificate Systems.

Secure Zone: An area (physical or logical) protected by physical and logical controls that appropriately protect the confidentiality, integrity, and availability of Certificate Systems.

High Security Zone: A physical location where a CA’s or Delegated Third Party’s Private Key or cryptographic hardware is located.

Certificate Systems: The system used by a CA or Delegated Third Party in providing identity verification, registration and enrollment, certificate approval, issuance, validity status, support, and other PKI-related services.

Issuing System: A system used to sign certificates or validity status information.

Certificate Management System: A system used by a CA or Delegated Third Party to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage.

Security Support System: A system used to provide security support functions, such as authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and anti- virus.

Then section 1 says that the CA shall:

a) Segment Certificate Systems into networks or zones based on their functional, logical, and physical (including location) relationship;

b) Apply the same security controls to all systems co-located in the same zone with a Certificate System;

c) Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks;

d) Maintain and protect Issuing Systems, Certificate Management Systems, and Security Support Systems in at least a Secure Zone;


1) What is the difference beween a “Secure Zone” and a “High Security Zone”?

2) What is the difference between a “network” and a “zone”? (cf. 1(a))

3) Which systems need to be in a High Security Zone?  The definition of HSZ and 1(c) seem to provide two different answers.

4) How does this interact with the WebTrust for CAs 2.0 criteria 3.4 "physical access to CA facilities and equipment is limited to authorized individuals, protected through restricted security perimeters, and is operated under multiple person (at least dual custody) control”?


More information about the Public mailing list