[cabfpub] Ballot 210: Misc. Changes to the Network and Certificate System Security Requirements

[Peter Bowen]

> On Aug 14, 2017, at 5:52 AM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> It's good you have a full ballot ready to go. It'd be useful to
> understand further context behind these proposals, beyond just
> "Network Security Working Group recommends"
> 
> For example, ideally it'd be useful to understand the overarching
> motivation, and the motivation for each and every specific change. For
> example, are these changes related to solving the same problem, or are
> they solving different, independent problems?
> 
> If there are threads from the (public, correct?) NSWG mailing list
> that can be referenced, that'd be great as well.
> 
> For example, the changes to 1.a represent a substantial change in the
> security and risk profile here - we move from physical separation into
> VLAN tagging. While VLAN tagging can be implemented by managed devices
> (e.g. switches), it can also be implemented at the host end, which
> means that a compromised host could, conceptually, 'uplift' itself
> from an untrusted zone to a trusted zone if it were to be compromised.
> Understanding if this was a goal (as it may very well be, given
> concerns raised about 1.a in the past) is useful to help members
> understand if the security risk is worth it.

Ryan,

For 1.a, I disagree that this change the scope.  The current text says "Segment Certificate Systems into networks or zones” (note the “or”).  If you assume “zone” is meant to be the defined term, then its definition also comes into play: "A subset of Certificate Systems created by the logical or physical partitioning of systems from other "Certificate Systems.

In both cases, it is reasonable that VLAN is an example of the existing “network” or “logical partitioning”.

Thanks,
Peter