[Servercert-wg] [EXTERNAL] Fwd: [cabf_netsec] SCXX: Offline CA Security Requirements

Ben Wilson bwilson at mozilla.com
Mon Aug 24 07:23:36 MST 2020


We can do that as a separate ballot.

On Thu, Aug 20, 2020 at 12:12 PM Bruce Morton <
Bruce.Morton at entrustdatacard.com> wrote:

> Hi Ben,
>
>
>
> Sections under BR 5.2 address Trust Roles; however, the BR sections don’t
> have much text. Would it make sense to add some of the proposed ballot
> Trusted Role text to the BRs? I’m thinking items sections 5b, d, e and
> possibly f. This text appears that it should apply to Trusted Roles even if
> they are not performing NetSec tasks.
>
>
>
> Thanks, Bruce.
>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Ben
> Wilson via Servercert-wg
> *Sent:* Thursday, August 20, 2020 12:42 PM
> *To:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* [EXTERNAL][Servercert-wg] Fwd: [cabf_netsec] SCXX: Offline CA
> Security Requirements
>
>
>
> *WARNING:* This email originated outside of Entrust Datacard.
> *DO NOT CLICK* links or attachments unless you trust the sender and know
> the content is safe.
> ------------------------------
>
> Before we finalize this as a ballot, the NetSec group wanted to see if
> there were any comments to this latest approach of replacing "Offline CA
> System" with "Air-Gapped CA System."
>
>
>
> Thanks in advance for your comments.
>
>
>
> Ben
>
>
>
> *Purpose of the Ballot:*
>
>
>
> Air-Gapped (Offline) CA systems operate differently than online systems
> and have a different risk profile. While including the Air-Gapped CA
> systems, the current Network and Certificate System Security Requirements
> focus on online systems and contain a number of requirements that are not
> practical to implement in an offline environment and could increase the
> risk to an offline environment.
>
>
>
> As an example, access to offline systems frequently elevates the risk to
> the environment. A quarterly vulnerability scan in the offline environment
> is not practical, because there is an increased risk involved with
> attaching a scanning device to an Offline CA system.
>
>
>
> This ballot develops a working definition for an “Air-Gapped CA System” to
> allow for a clear delineation between those system components that fall
> under this category of air-gapped/offline requirements and those under all
> other requirements. While this ballot introduces a new section 5, this
> ballot only makes minor changes to the current requirements by replacing
> some online requirements with physical security requirements for air-gapped
> CAs. The new section 5 presents logical security requirements in
> subsections a through m and physical security requirements in subsections p
> through w. Otherwise, this ballot does not add any new requirements. This
> will create a separate set of requirements that apply only to Air-Gapped CA
> Systems.
>
>
>
> These proposed subsections in a new section 5 have their counterpart and
> come from the current NCSSRs as follows:
>
>
>
> *Description*
>
> *Air-Gapped CA Criteria Section #*
>
> *Current General *
>
> *Criteria Section #*
>
> *Logical Security*
>
> Configuration review
>
> 5a
>
> 1h
>
> Appointing individuals to trusted roles
>
> 5b
>
> 2a
>
> Grant access to offline CAs
>
> 5c
>
> 1i
>
> Document responsibilities of Trusted roles
>
> 5d
>
> 2b
>
> Segregation of duties
>
> 5e
>
> 2d
>
> Require least privileged access for Trusted Roles
>
> 5f
>
> 2e
>
> All access tracked to individual account
>
> 5g
>
> 2f
>
> Password requirements
>
> 5h
>
> 2gi
>
> Review logical access
>
> 5i
>
> 2j
>
> Implement multi-factor access
>
> 5j
>
> 2m
>
> Monitor offline CA systems
>
> 5k
>
> 3b
>
> Review logging integrity
>
> 5l
>
> 3e
>
> Monitor archive and retention of logs
>
> 5m
>
> 3f
>
> *Physical Security*
>
> Grant physical access
>
> 5p
>
> 1i
>
> Multi-person physical access
>
> 5q
>
> 1j
>
> Review physical access
>
> 5r
>
> 2j
>
> Video monitoring
>
> 5s
>
> 3a
>
> Physical access monitoring
>
> 5t
>
> 3a
>
> Review accounts with physical access
>
> 5u
>
> 2j
>
> Monitor retention of physical access of records
>
> 5v
>
> 3f
>
> Review integrity of physical access logs
>
> 5w
>
> 3e
>
>
>
> BALLOT TEXT
>
>
>
> Replace 1.c. with " Maintain Root CA Systems in a High Security Zone and
> as Air-Gapped CA Systems, in accordance with Section 5;"
>
>
>
> Add definition of "Air-Gapped CA System" as " A system that is kept
> offline or otherwise air-gapped and separated from other systems used by a
> CA or Delegated Third Party in storing and managing CA private keys and
> performing signing and logging operations."
>
>
>
> Add a new Section 5 -
>
>
> 5. GENERAL PROTECTIONS FOR AIR-GAPPED CA SYSTEMS
>
> This Section 5 separates requirements for Air-Gapped CA Systems into two
> categories--logical security and physical security.
>
> *Logical Security of Air-Gapped CA Systems*
>
> Certification Authorities and Delegated Third Parties SHALL implement the
> following controls to ensure the logical security of Air-Gapped CA Systems:
>
> a. Review static configurations of Air-Gapped CA Systems at least on an
> annual basis to determine whether any changes violated the CA’s security
> policies;
>
> b. Follow a documented procedure for appointing individuals to Trusted
> Roles on Air-Gapped CA Systems;
>
> c. Grant logical access to Air-Gapped CA Systems only to persons acting in
> Trusted Roles and require their accountability for the Air-Gapped CA
> System's security;
>
> d. Document the responsibilities and tasks assigned to Trusted Roles and
> implement "separation of duties" for such Trusted Roles based on the
> security-related concerns of the functions to be performed;
>
> e. Ensure that an individual in a Trusted Role acts only within the scope
> of such role when performing administrative tasks assigned to that role;
>
> f. Require employees and contractors to observe the principle of "least
> privilege" when accessing, or when configuring access privileges on,
> Air-Gapped CA Systems;
>
> g. Require that all access to systems and offline key material can be
> traced back to an individual in a Trusted Role (through a combination of
> recordkeeping, use of logical and physical credentials, authentication
> factors, video recording, etc.);
>
> h. If an authentication control used by a Trusted Role is a username and
> password, then, where technically feasible require that passwords have at
> least twelve (12) characters;
>
> i. Review logical access control lists at least annually and deactivate
> any accounts that are no longer necessary for operations;
>
> j. Enforce Multi-Factor Authentication OR multi-party authentication for
> administrator access to Air-Gapped CA Systems;
>
> k. Identify those Air-Gapped CA Systems capable of monitoring and logging
> system activity and enable those systems to continuously monitor and log
> system activity. Back up logs to an external system each time the system is
> used or on a quarterly basis, whichever is less frequent;
>
> l. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, check the integrity of the logical access
> logging processes and ensure that logging and log-integrity functions are
> effective;
>
> m. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, monitor the archival and retention of logical
> access logs to ensure that logs are retained for the appropriate amount of
> time in accordance with the disclosed business practices and applicable
> legislation.
>
> n. Reserved for future use
>
> o. Reserved for future use
>
> *Physical Security of Air-Gapped CA Systems*
>
> Certification Authorities and Delegated Third Parties SHALL implement the
> following controls to ensure the physical security of Air-Gapped CA Systems:
>
> p. Grant physical access to Air-Gapped CA Systems only to persons acting
> in Trusted Roles and require their accountability for the Air-Gapped CA
> System’s security;
>
> q. Ensure that only personnel assigned to Trusted Roles have physical
> access to Air-Gapped CA Systems and multi-person access controls are
> enforced at all times;
>
> r. Implement a process that removes physical access of an individual to
> all Air-Gapped CA Systems within twenty four (24) hours upon termination of
> the individual’s employment or contracting relationship with the CA or
> Delegated Third Party;
>
> s. Implement video monitoring, intrusion detection, and prevention
> controls to protect Air-Gapped CA Systems against unauthorized physical
> access attempts;
>
> t. Implement a Security Support System that monitors, detects, and reports
> any security-related configuration change to the physical access to
> Air-Gapped CA Systems;
>
> u. Review all system accounts on physical access control lists at least
> every three (3) months and deactivate any accounts that are no longer
> necessary for operations;
>
> v. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, monitor the archival and retention of the
> physical access logs to ensure that logs are retained for the appropriate
> amount of time in accordance with the disclosed business practices and
> applicable legislation.
>
> w. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, check the integrity of the physical access
> logging processes and ensure that logging and log-integrity functions are
> effective.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200824/9c71293a/attachment-0001.html>


More information about the Servercert-wg mailing list