[Servercert-wg] Ballot SC29v3: System Configuration Management

Neil Dunbar ndunbar at trustcorsystems.com
Tue Apr 14 06:49:20 MST 2020 

This begins/extends the discussion period for the Ballot SC29v3: System 
Configuration Management

Purpose of Ballot:

Two sections of the current NSRs contain requirements for configuration 
management. Section 1(h) demands a weekly review and Section 3(a) a 
process to monitor, detect and report on security-related configuration 
changes.

There was consensus in the discussions of the Network Security Subgroup 
that unauthorized or unintentional configuration changes can introduce 
high security risks but the current wording allows CAs to comply with 
s1(h) without noticing such a change for several days. Whether the 
weekly human reviews have to be performed every 7 days or just once per 
week is a matter of interpretation but for the discussion of our 
proposal this is immaterial. The change we are proposing seeks to 
encourage CAs to rely on continuous monitoring rather than human reviews 
because alerts created by a continuous monitoring solution can notify a 
CA by orders of magnitude earlier than a human review i.e. within 
minutes not within days.

After lengthy discussions both on list and on the NetSec meeting, the 
question about whether a CA approved source of patches/software updates 
counts as a change managed process within the text of the ballot. The 
conclusion to those discussions was that it _does_ fall within the terms 
of this ballot. Note: it lies entirely outside the remit of the NetSec 
committee to say whether this is a good practice or a bad one - merely 
that it has the criteria of approval and review as required. To that 
extent, the ballot has been changed to explicitly require the change 
management process results to be subject to review, rather than 
"testing" per the previous wording.

A PDF of the discussion document is attached to this email. The document 
is on Google Docs at: 
https://docs.google.com/document/d/1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo 
<https://docs.google.com/document/d/1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo/edit>

The GitHub redline is: 
https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:aefc8ad?diff=split

Regards,

Neil

*--- MOTION BEGINS ---*

*This ballot modifies the “Network and Certificate System Security 
Requirements” based on Version 1.3.*

*(Each CA or Delegated Third Party SHALL)
(...)
*

*Insert as new Section 1(h)*

*Ensure that the CA’s security policies encompass a change management 
process, following the principles of documentation, approval and review, 
and to ensure that all changes to Certificate Systems, Issuing Systems, 
Certificate Management Systems, Security Support Systems, and Front-End 
/ Internal-Support Systems follow said change management process;*

*Remove from Section 3(a)
*

*Implement a Security Support System under the control of CA or 
Delegated Third Party Trusted Roles that monitors, detects, and reports 
any security-related configuration change to Certificate Systems;*

*Insert as new Section 3(a)*

*Implement a System under the control of CA or Delegated Third Party 
that continuously monitors, detects, and alerts personnel to any 
modification to Certificate Systems, Issuing Systems, Certificate 
Management Systems, Security Support Systems, and Front-End / 
Internal-Support Systems unless the change has been authorized through a 
change management process.  The CA or Delegated Third Party shall 
respond to the alert and initiate a plan of action within at most 
twenty-four (24) hours.*

*Effective date*

*The changes introduced by this Ballot take effect on 1 October 2020. 
Earlier adoption is permitted.
*

*--- MOTION ENDS ---
*

This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 2020-04-14 17:00:00 UTC

End Time: 2020-04-30 17:00:00 UTC

Vote for approval (7 days)

Start Time: TBD

End Time: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200414/7b6b736b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SC29 Ballot_ System Configuration Management (2).pdf
Type: application/pdf
Size: 55213 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200414/7b6b736b/attachment-0001.pdf>

More information about the Servercert-wg mailing list