[Servercert-wg] Ballot SC29v3: System Configuration Management

Ryan Sleevi sleevi at google.com
Tue Apr 14 11:21:06 MST 2020


On Tue, Apr 14, 2020 at 9:49 AM Neil Dunbar via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> After lengthy discussions both on list and on the NetSec meeting, the
> question about whether a CA approved source of patches/software updates
> counts as a change managed process within the text of the ballot. The
> conclusion to those discussions was that it _does_ fall within the terms of
> this ballot. Note: it lies entirely outside the remit of the NetSec
> committee to say whether this is a good practice or a bad one - merely that
> it has the criteria of approval and review as required. To that extent, the
> ballot has been changed to explicitly require the change management process
> results to be subject to review, rather than "testing" per the previous
> wording.
>
Just to make sure - that specific change (from previous versions) is
https://github.com/cabforum/documents/commit/aefc8ad1a106e40315ba01aa13ea00cb93363805
,
correct?

I am concerned a bit with the above disclaimer, but may just be confused,
and so wanting to check my understanding and make sure we've got the same
conclusion :)

Goal: Enabling automatic updates (i.e. directly via software), which
connects to a third-party (e.g. the OS or software vendor), without
requiring any human documentation or approval of the specific updates being
applied, is clearly and explicitly forbidden.

Goal: Enabling automatic updates (i.e. directly via software), from a
CA-maintained list of approved updates, is fine. A CA process that defines
that they approve updates provided by the OS vendor, and maintaining
documentation to the effect of exactly what was approved and installed, is
also fine.

Is that a correct understanding and conclusion? Specifically, I want to
make sure that the view is not that the NCSSRs permit treating the OS or
software vendor as a Delegated Third Party, where the OS vendor themselves
are (effectively) tasked with documentation, approval, and review of
updates to the CA's systems. The effect of allowing automatic updates is to
effectively give control of the system to the vendor, and there needs to be
some CA responsibility in ensuring the systems are in a defined and
documented state.

Given the discussion folks had, I want to make sure that no CA or auditor
will interpret this as allowing automatic updates. More concretely, a
statement "Running on a fully patched OS" would be bad, while a statement
"Running on this OS version, with patches X, Y, Z applied" is good, in that
it's always concretely defined the state of the CA's system. It doesn't
seem that "fully patched" can meet the criteria of approval/review, but I'm
hoping I'm not missing some of the discussion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200414/c0532790/attachment.html>


More information about the Servercert-wg mailing list