[cabfpub] NOTICE OF REVIEW PERIOD – BALLOT 201

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Aug 31 23:00:01 UTC 2017 

NOTICE OF REVIEW PERIOD – BALLOT 210

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.2).  This Review Period is for Final Maintenance Guidelines (30 day Review Period).  A complete draft of the Draft Guideline that is the subject of this Review Notice is attached.

Date Review Notice Sent:             August 31, 2017

Ballot for Review:                          Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

Start of Review Period:                 Sept. 1, 2017 at 01:00 UTC

End of Review Period:                  Oct. 1, 2017 at 01:00 UTC

Please forward any Exclusion Notice relating to Essential Claims to the Chair by email to kirk.hall at entrustdatacard.com<mailto:kirk.hall at entrustdatacard.com> before the end of the Review Period.  See current version of CA/Browser Forum Intellectual Property Rights Policy for details.

(Optional form of Exclusion Notice is attached)

Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements

--Motion Begins--

In the Network and Certificate System Security Requirements:

ADD ETSI EN 319 411-1 to first sentence of the Scope and Applicability section so that it reads "These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities (CAs) and are adopted with the intent that all such CAs and Delegated Third Parties be audited for conformity with these Requirements as soon as they have been incorporated as mandatory requirements (if not already mandatory requirements) in the root embedding program for any major Internet browsing client and that they be incorporated into the WebTrust Service Principles and Criteria for Certification Authorities, ETSI TS 101 456, ETSI TS 102 042 and ETSI EN 319 411-1 including revisions and implementations thereof, including any audit scheme that purports to determine conformity therewith."

REPLACE section 1.a. with "a. Segment Certificate Systems into networks based on their functional or logical relationship, for example separate physical networks or VLANs;"

REPLACE section 1.b. with "b. Apply equivalent security controls to all systems co-located in the same network with a Certificate System;"

REPLACE "90 days" with "three (3) months" in section 2.g.ii. and 2.j so that they read "ii. For accounts that are accessible from outside a Secure Zone or High Security Zone, require that passwords have at least eight (8) characters, be changed at least every three (3) months, use a combination of at least numeric and alphabetic characters, that are not a dictionary word or on a list of previously disclosed human-generated passwords, and not be one of the user's previous four (4) passwords; and implement account lockout for failed access attempts in accordance with subsection k; OR"

AND

"j. Review all system accounts at least every three (3) months and deactivate any accounts that are no longer necessary for operations;"

REPLACE section 2.m. with "m. Enforce multi-factor OR multi-party authentication for administrator access to Issuing Systems and Certificate Management Systems;"

REPLACE section 2.o. with "o. Restrict remote administration or access to an Issuing System, Certificate Management System, or Security Support System except when: (i) the remote connection originates from a device owned or controlled by the CA or Delegated Third Party, (ii) the remote connection is through a temporary, non-persistent encrypted channel that is supported by multi-factor authentication, and (iii) the remote connection is made to a designated intermediary device (a) located within the CA’s network, (b) secured in accordance with these Requirements, and (c) that mediates the remote connection to the Issuing System."

REPLACE "every 30 days and" with "once a month to" in section 3.e. so that it reads "e. Conduct a human review of application and system logs at least once a month to validate the integrity of logging processes and ensure that monitoring, logging, alerting, and log-integrity-verification functions are operating properly (the CA or Delegated Third Party MAY use an in-house or third-party audit log reduction and analysis tool); and"

REPLACE 4.a. with "a. Implement intrusion detection and prevention controls under the control of CA or Delegated Third Party Trusted Roles to protect Certificate Systems against common network and system threats;"

REPLACE 4.C. with "c. Undergo or perform a Vulnerability Scan (i) within one (1) week of receiving a request from the CA/Browser Forum, (ii) after any system or network changes that the CA determines are significant, and (iii) at least every three (3) months, on public and private IP addresses identified by the CA or Delegated Third Party as the CA’s or Delegated Third Party’s Certificate Systems;"

REPLACE the definition of Security Support System in the Definitions with "Security Support System: A system used to provide security support functions, which MAY include authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and intrusion detection (Host-based intrusion detection, Network-based intrusion detection)."

Make other editorial changes as indicated at https://github.com/cabforum/documents/pull/64/files and in the attached PDF.

--Motion Ends—

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170831/6e1f425e/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ballot 210 Review Notice and Exclusion Notice Template.pdf
Type: application/pdf
Size: 388881 bytes
Desc: Ballot 210 Review Notice and Exclusion Notice Template.pdf
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170831/6e1f425e/attachment-0002.pdf>

More information about the Public mailing list