[Servercert-wg] Ballot SC29: System Configuration Management

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Mar 16 08:33:12 MST 2020



On 2020-03-16 5:20 μ.μ., Neil Dunbar via Servercert-wg wrote:
>
> Dimitris,
>
> While I'm keen to proceed with a vote on SC29 to clear this from the 
> Netsec backlog, I am sensitive to the fact that many businesses are 
> under stress given the current emergencies.
>
> The ballot was supposed to go into the voting period today at 17:00:00 
> UTC, but I will delay this until Monday 23rd March 2020, 17:00:00 UTC. 
> I'm not sure whether it is permissible within the bylaws to 
> retroactively extend the discussion period for another week, but it 
> seems like calling for the voting period is at the discretion of the 
> proposer (within the limits of 2.3 (c)); so I will make a voting 
> opening call at the later date.
>

It is permissible by allowing the proposer to start the voting period 
whenever they like, as long as it doesn't go past the 21 days of the 
last document submission for discussion.

Thanks for your understanding.


Dimitris.

> Regards,
>
> Neil
>
> On 16/03/2020 06:41, Dimitris Zacharopoulos (HARICA) via Servercert-wg 
> wrote:
>>
>> On behalf of HARICA I would like to kindly ask the proposer of the 
>> ballot to delay the voting for at least a week. Due to the 
>> coronavirus outbreak we haven't had a chance to carefully analyze the 
>> ballot and its consequences.
>>
>>
>> Thank you,
>> Dimitris.
>>
>> On 2020-03-09 6:39 μ.μ., Neil Dunbar via Servercert-wg wrote:
>>>
>>> This begins the discussion period for the Ballot SC29: System 
>>> Configuration Management
>>>
>>> [Note: this is the resubmission of Ballot SC20, which did not 
>>> proceed to a voting phase]
>>>
>>> Purpose of Ballot:
>>>
>>> Two sections of the current NSRs contain requirements for 
>>> configuration management. Section 1(h) demands a weekly review and 
>>> Section 3(a) a process to monitor, detect and report on 
>>> security-related configuration changes.
>>>
>>> There was consensus in the discussions of the Network Security 
>>> Subgroup that unauthorized or unintentional configuration changes 
>>> can introduce high security risks but the current wording allows CAs 
>>> to comply with s1(h) without noticing such a change for several 
>>> days. Whether the weekly human reviews have to be performed every 7 
>>> days or just once per week is a matter of interpretation but for the 
>>> discussion of our proposal this is immaterial. The change we are 
>>> proposing seeks to encourage CAs to rely on continuous monitoring 
>>> rather than human reviews because alerts created by a continuous 
>>> monitoring solution can notify a CA by orders of magnitude earlier 
>>> than a human review i.e. within minutes not within days.
>>>
>>> The question has been raised (at the Bratislava F2F meeting) as to 
>>> whether this ballot should also cover OS patching, since that 
>>> involves installing new packages on top of others. The view of the 
>>> proposers is an unequivocal “yes” - patched packages from OS vendors 
>>> should go through a CA change management process, and only those 
>>> patches which are approved for installation should make their way to 
>>> production systems.
>>>
>>>
>>> **More detailed discussions and considerations can be found in this 
>>> document, maintained by the NetSec Subgroup: 
>>> https://docs.google.com/document/d/1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo.
>>> <https://docs.google.com/document/d/1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo> 
>>>
>>>
>>> [For those unable to view the discussion document, a PDF of the 
>>> above document is attached to this mail]
>>>
>>> The following motion has been proposed by Neil Dunbar of TrustCor 
>>> and endorsed by Tobias Josefowitz of OPERA and Dustin Hollenback of 
>>> Microsoft.
>>>
>>> --- MOTION BEGINS ---
>>>
>>> This ballot modifies the “Network and Certificate System Security 
>>> Requirements” based on Version 1.3. A redline against the CA/B Forum 
>>> repository is found here:
>>>
>>> https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:108e555?diff=split
>>>
>>> (Each CA or Delegated Third Party SHALL)
>>> (...)
>>>
>>> Insert as new Section 1(h):
>>>
>>> Ensure that the CA’s security policies encompass a Change Management 
>>> Process, following the principles of documentation, approval and 
>>> testing, and to ensure that all changes to Certificate Systems, 
>>> Issuing Systems, Certificate Management Systems, Security Support 
>>> Systems, and Front-End / Internal-Support Systems follow said Change 
>>> Management Process;
>>>
>>> Remove from Section 3(a):
>>>
>>> Implement a Security Support System under the control of CA or 
>>> Delegated Third Party Trusted Roles that monitors, detects, and 
>>> reports any security-related configuration change to Certificate 
>>> Systems;
>>>
>>> Insert as new Section 3(a):
>>>
>>> Implement a System under the control of CA or Delegated Third Party 
>>> that continuously monitors, detects, and alerts personnel to any 
>>> configuration change to Certificate Systems, Issuing Systems, 
>>> Certificate Management Systems, Security Support Systems, and 
>>> Front-End / Internal-Support Systems unless the change has been 
>>> authorized through a change management process.  The CA or Delegated 
>>> Third Party  shall respond to the alert and initiate a plan of 
>>> action within at most twenty-four (24) hours.
>>>
>>> --- MOTION ENDS ---
>>>
>>> This ballot proposes a Final Maintenance Guideline.
>>>
>>> The procedure for approval of this ballot is as follows:
>>>
>>> Discussion (7+ days)
>>>
>>> Start Time: 2020-03-09 17:00:00 UTC
>>>
>>> End Time: 2020-03-16 17:00:00 UTC
>>>
>>> Vote for approval (7 days)
>>>
>>> Start Time: 2020-03-16 17:00:00 UTC
>>>
>>> End Time: 2020-03-23 17:00:00 UTC
>>>
>>>
>>> _______________________________________________
>>> Servercert-wg mailing list
>>> Servercert-wg at cabforum.org
>>> http://cabforum.org/mailman/listinfo/servercert-wg
>>
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> http://cabforum.org/mailman/listinfo/servercert-wg
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200316/67f0c7f7/attachment-0001.html>


More information about the Servercert-wg mailing list