[Servercert-wg] Ballot SC29v2: System Configuration Management
Neil Dunbar
ndunbar at trustcorsystems.com
Mon Mar 23 06:49:05 MST 2020
Further to the discussion on the last SCWG (2020-03-19) , I'm keeping
this ballot alive as a 'heartbeat'. Everyone on the group is in the grip
of the coronavirus outbreak, so flexibility is required from all
participants.
This begins/extends the discussion period for the Ballot SC29v2: System
Configuration Management
Purpose of Ballot:
Two sections of the current NSRs contain requirements for configuration
management. Section 1(h) demands a weekly review and Section 3(a) a
process to monitor, detect and report on security-related configuration
changes.
There was consensus in the discussions of the Network Security Subgroup
that unauthorized or unintentional configuration changes can introduce
high security risks but the current wording allows CAs to comply with
s1(h) without noticing such a change for several days. Whether the
weekly human reviews have to be performed every 7 days or just once per
week is a matter of interpretation but for the discussion of our
proposal this is immaterial. The change we are proposing seeks to
encourage CAs to rely on continuous monitoring rather than human reviews
because alerts created by a continuous monitoring solution can notify a
CA by orders of magnitude earlier than a human review i.e. within
minutes not within days.
The question has been raised (at the Bratislava F2F meeting) as to
whether this ballot should also cover OS patching, since that involves
installing new packages on top of others. The view of the proposers is
an unequivocal “yes” - patched packages from OS vendors should go
through a CA change management process, and only those patches which are
approved for installation should make their way to production systems.
**More detailed discussions and considerations can be found in this
document, maintained by the NetSec Subgroup:
https://docs.google.com/document/d/1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo.
<https://docs.google.com/document/d/1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo>
[For those unable to view the discussion document, a PDF of the above
document is attached to this mail]
The following motion has been proposed by Neil Dunbar of TrustCor and
endorsed by Tobias Josefowitz of OPERA and Dustin Hollenback of Microsoft.
--- MOTION BEGINS ---
This ballot modifies the “Network and Certificate System Security
Requirements” based on Version 1.3. A redline against the CA/B Forum
repository is found here:
https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:108e555?diff=split
(Each CA or Delegated Third Party SHALL)
(...)
Insert as new Section 1(h):
Ensure that the CA’s security policies encompass a Change Management
Process, following the principles of documentation, approval and
testing, and to ensure that all changes to Certificate Systems, Issuing
Systems, Certificate Management Systems, Security Support Systems, and
Front-End / Internal-Support Systems follow said Change Management Process;
Remove from Section 3(a):
Implement a Security Support System under the control of CA or Delegated
Third Party Trusted Roles that monitors, detects, and reports any
security-related configuration change to Certificate Systems;
Insert as new Section 3(a):
Implement a System under the control of CA or Delegated Third Party that
continuously monitors, detects, and alerts personnel to any
configuration change to Certificate Systems, Issuing Systems,
Certificate Management Systems, Security Support Systems, and Front-End
/ Internal-Support Systems unless the change has been authorized through
a change management process. The CA or Delegated Third Party shall
respond to the alert and initiate a plan of action within at most
twenty-four (24) hours.
--- MOTION ENDS ---
This ballot proposes a Final Maintenance Guideline.
The procedure for approval of this ballot is as follows:
Discussion (7+ days)
Start Time: 2020-03-23 17:00:00 UTC
End Time: 2020-04-03 17:00:00 UTC
Vote for approval (7 days)
Start Time: TBD
End Time: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200323/83fac77d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SC29 Ballot_ System Configuration Management.pdf
Type: application/pdf
Size: 55223 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200323/83fac77d/attachment-0001.pdf>
More information about the Servercert-wg
mailing list