[Servercert-wg] Voting Begins: Ballot SC29v3: System Configuration Management
Neil Dunbar
ndunbar at trustcorsystems.com
Thu Apr 30 07:15:20 MST 2020
This begins the voting period for the Ballot SC29v3: System
Configuration Management
Having consulted on-list to see if the voluntary moratorium on changes
was over, I got no objection to proceeding with voting on this ballot,
so here it is.
Purpose of Ballot:
Two sections of the current NSRs contain requirements for configuration
management. Section 1(h) demands a weekly review and Section 3(a) a
process to monitor, detect and report on security-related configuration
changes.
There was consensus in the discussions of the Network Security Subgroup
that unauthorized or unintentional configuration changes can introduce
high security risks but the current wording allows CAs to comply with
s1(h) without noticing such a change for several days. Whether the
weekly human reviews have to be performed every 7 days or just once per
week is a matter of interpretation but for the discussion of our
proposal this is immaterial. The change we are proposing seeks to
encourage CAs to rely on continuous monitoring rather than human reviews
because alerts created by a continuous monitoring solution can notify a
CA by orders of magnitude earlier than a human review i.e. within
minutes not within days.
To answer the question as to whether automated patching via defined
software vendor repositories is allowed: the answer is YES - this is
allowed by the text of the ballot. The proposers and seconders publish
no judgement on the desirability of such a process, but if it defined
and documented per the terms of the ballot, such a process does not
contravene the text of this ballot.
The GitHub redline is:
https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:aefc8ad?diff=split
Regards,
Neil
*--- MOTION BEGINS ---*
*This ballot modifies the “Network and Certificate System Security
Requirements” based on Version 1.3.*
*(Each CA or Delegated Third Party SHALL)
(...)
*
*Insert as new Section 1(h)*
*Ensure that the CA’s security policies encompass a change management
process, following the principles of documentation, approval and review,
and to ensure that all changes to Certificate Systems, Issuing Systems,
Certificate Management Systems, Security Support Systems, and Front-End
/ Internal-Support Systems follow said change management process;*
*Remove from Section 3(a)
*
*Implement a Security Support System under the control of CA or
Delegated Third Party Trusted Roles that monitors, detects, and reports
any security-related configuration change to Certificate Systems;*
*Insert as new Section 3(a)*
*Implement a System under the control of CA or Delegated Third Party
that continuously monitors, detects, and alerts personnel to any
modification to Certificate Systems, Issuing Systems, Certificate
Management Systems, Security Support Systems, and Front-End /
Internal-Support Systems unless the change has been authorized through a
change management process. The CA or Delegated Third Party shall
respond to the alert and initiate a plan of action within at most
twenty-four (24) hours.*
*Effective date*
*The changes introduced by this Ballot take effect on 1 November 2020.
Earlier adoption is permitted.
*
*--- MOTION ENDS ---
*
This ballot proposes a Final Maintenance Guideline.
The procedure for approval of this ballot is as follows:
Discussion (7+ days)
Start Time: 2020-04-14 17:00:00 UTC
End Time: 2020-04-30 17:00:00 UTC
Vote for approval (7 days)
Start Time: 2020-04-30 17:00:00 UTC
End Time: 2020-05-07 17:00:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200430/5a753590/attachment.html>
More information about the Servercert-wg
mailing list