[cabfpub] Discussion Period for Ballot 210 (NetSec Revisions)ends today at 22:00 UTC

zhangyq zhangyq at gdca.com.cn
Wed Aug 30 07:21:03 UTC 2017


GDCA votes YES.


原始邮件
发件人:Tom Ritter via Publicpublic at cabforum.org
收件人:CA/Browser Forum Public Discussion Listpublic at cabforum.org
发送时间:2017年8月30日(周三) 14:09
主题:Re: [cabfpub] Discussion Period for Ballot 210 (NetSec Revisions)ends today at 22:00 UTC


Mozilla votes yes. I opened a couple of issues at https://github.com/cabforum/documents/issues for us to discuss as we continue to work on this document. -tom On 28 August 2017 at 16:39, Peter Bowen via Public public at cabforum.org wrote:  Amazon votes YES.    On Aug 24, 2017, at 9:55 AM, Kirk Hall via Public public at cabforum.org  wrote:   The voting period will then run from 22:00 UTC today through 22:00 UTC.   If you have comments, please post them now.   From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson  via Public  Sent: Saturday, August 12, 2017 8:30 PM  To: CABFPub public at cabforum.org  Subject: [EXTERNAL][cabfpub] Ballot 210: Misc. Changes to the Network and  Certificate System Security Requirements    The discussion period for this ballot is 12 days to give everyone ample time  to review it. Voting will start at 2200 UTC on Thursday, August 24, 2017.   The Network Security Working Group recommends that the Forum make the  following minor revisions to the Network and Certificate System Security  Requirements. (Other changes are being considered by the Working Group and  will be presented in due course.)   The following ballot is proposed by Dimitris Zacharopoulos of HARICA and  endorsed by Ben Wilson of DigiCert and Neil Dunbar of TrustCor.   --Motion Begins--   In the Network and Certificate System Security Requirements:   ADD ETSI EN 319 411-1 to first sentence of the Scope and Applicability  section so that it reads "These Network and Certificate System Security  Requirements (Requirements) apply to all publicly trusted Certification  Authorities (CAs) and are adopted with the intent that all such CAs and  Delegated Third Parties be audited for conformity with these Requirements as  soon as they have been incorporated as mandatory requirements (if not  already mandatory requirements) in the root embedding program for any major  Internet browsing client and that they be incorporated into the WebTrust  Service Principles and Criteria for Certification Authorities, ETSI TS 101  456, ETSI TS 102 042 and ETSI EN 319 411-1 including revisions and  implementations thereof, including any audit scheme that purports to  determine conformity therewith."   REPLACE section 1.a. with "a. Segment Certificate Systems into networks  based on their functional or logical relationship, for example separate  physical networks or VLANs;"   REPLACE section 1.b. with "b. Apply equivalent security controls to all  systems co-located in the same network with a Certificate System;"   REPLACE "90 days" with "three (3) months" in section 2.g.ii. and 2.j so that  they read "ii. For accounts that are accessible from outside a Secure Zone  or High Security Zone, require that passwords have at least eight (8)  characters, be changed at least every three (3) months, use a combination of  at least numeric and alphabetic characters, that are not a dictionary word  or on a list of previously disclosed human-generated passwords, and not be  one of the user's previous four (4) passwords; and implement account lockout  for failed access attempts in accordance with subsection k; OR"   AND   "j. Review all system accounts at least every three (3) months and  deactivate any accounts that are no longer necessary for operations;"   REPLACE section 2.m. with "m. Enforce multi-factor OR multi-party  authentication for administrator access to Issuing Systems and Certificate  Management Systems;"   REPLACE section 2.o. with "o. Restrict remote administration or access to an  Issuing System, Certificate Management System, or Security Support System  except when: (i) the remote connection originates from a device owned or  controlled by the CA or Delegated Third Party, (ii) the remote connection is  through a temporary, non-persistent encrypted channel that is supported by  multi-factor authentication, and (iii) the remote connection is made to a  designated intermediary device (a) located within the CA’s network, (b)  secured in accordance with these Requirements, and (c) that mediates the  remote connection to the Issuing System."   REPLACE "every 30 days and" with "once a month to" in section 3.e. so that  it reads "e. Conduct a human review of application and system logs at least  once a month to validate the integrity of logging processes and ensure that  monitoring, logging, alerting, and log-integrity-verification functions are  operating properly (the CA or Delegated Third Party MAY use an in-house or  third-party audit log reduction and analysis tool); and"   REPLACE 4.a. with "a. Implement intrusion detection and prevention controls  under the control of CA or Delegated Third Party Trusted Roles to protect  Certificate Systems against common network and system threats;"   REPLACE 4.C. with "c. Undergo or perform a Vulnerability Scan (i) within one  (1) week of receiving a request from the CA/Browser Forum, (ii) after any  system or network changes that the CA determines are significant, and (iii)  at least every three (3) months, on public and private IP addresses  identified by the CA or Delegated Third Party as the CA’s or Delegated Third  Party’s Certificate Systems;"   REPLACE the definition of Security Support System in the Definitions with  "Security Support System: A system used to provide security support  functions, which MAY include authentication, network boundary control, audit  logging, audit log reduction and analysis, vulnerability scanning, and  intrusion detection (Host-based intrusion detection, Network-based intrusion  detection)."   Make other editorial changes as indicated at  https://github.com/cabforum/documents/pull/64/files and in the attached PDF.   --Motion Ends—   The procedure for approval of this Final Maintenance Guideline ballot is as  follows:   BALLOT 210 - Final Maintenance Guideline   Relevant Start times and End Times are 22:00 UTC   Discussion (7 to 14 days) Start: August 17, 2017 End: August 24, 2017   Vote for approval (7 days) Start: August 24, 2017 End: August 31, 2017   If a vote of the Forum approves this ballot, the Chair will initiate a  30-day IPR Review Period by sending out an IPR Review Notice.   After 30 days of announcing the IPR Review period by the Chair:   (a) If Exclusion Notice(s) are filed, this ballot approval is rescinded and  a PAG will be created; or (b) If no Exclusion Notices are filed, this ballot  becomes effective at end of the IPR Review Period.   From Bylaw 2.3: If the Draft Guideline Ballot is proposing a Final  Maintenance Guideline, such ballot will include a redline or comparison  showing the set of changes from the Final Guideline section(s) intended to  become a Final Maintenance Guideline, and need not include a copy of the  full set of guidelines. Such redline or comparison shall be made against the  Final Guideline section(s) as they exist at the time a ballot is proposed,  and need not take into consideration other ballots that may be proposed  subsequently, except as provided in Bylaw Section 2.3(j).   Votes must be cast by posting an on-list reply to this thread on the Public  list. A vote in favor of the motion must indicate a clear 'yes' in the  response. A vote against must indicate a clear 'no' in the response. A vote  to abstain must indicate a clear 'abstain' in the response. Unclear  responses will not be counted. The latest vote received from any  representative of a voting member before the close of the voting period will  be counted. Voting members are listed here: https://cabforum.org/members/   In order for the motion to be adopted, two thirds or more of the votes cast  by members in the CA category and greater than 50% of the votes cast by  members in the browser category must be in favor. Quorum is half of the  number of currently active Members, which is the average number of Member  organizations that have participated in the previous three Forum-wide  meetings (both teleconferences and face-to-face meetings). Under Bylaw  2.2(g), at least the required quorum number must participate in the ballot  for the ballot to be valid, either by voting in favor, voting against, or  abstaining.     CABForum_Network_Security_Controls_Ballot_Draft_1.pdf_______________________________________________  Public mailing list  Public at cabforum.org  https://cabforum.org/mailman/listinfo/public     _______________________________________________  Public mailing list  Public at cabforum.org  https://cabforum.org/mailman/listinfo/public  _______________________________________________ Public mailing list Public at cabforum.org https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170830/3771c501/attachment-0003.html>


More information about the Public mailing list