[Servercert-wg] Ballot SC29: System Configuration Management

Josselin Allemandou j.allemandou at certigna.com
Mon Mar 23 06:53:56 MST 2020


CERTIGNA is subject to the same constraints and context as SWISSSIGN and HARICA, so we also share this request.

 

Best Regards,

 

Josselin ALLEMANDOU

CERTIGNA

 

De : Servercert-wg <servercert-wg-bounces at cabforum.org> De la part de Dimitris Zacharopoulos (HARICA) via Servercert-wg
Envoyé : lundi 23 mars 2020 09:38
À : Nathalie Weiler <nathalie.weiler at swisssign.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Objet : Re: [Servercert-wg] Ballot SC29: System Configuration Management

 

Representing HARICA I'd like to second this request. We discussed about this at our last teleconference and Members can review the draft minutes sent to the management list.

With that said, HARICA plans to participate in the discussion of SC29 with some thoughts and observations related to the patching mechanisms and the need to allow a certain level of automation. We are still trying to get together (virtually) as a team to have a full analysis and a detailed internal discussion before we post our thoughts to the public list. 


Thank you,
Dimitris.

On 2020-03-23 10:15 π.μ., Nathalie Weiler via Servercert-wg wrote:

Dear all,

 

On behalf of SwissSign, I would like to request more time for the analysis of the impact of SC-29. The reason is that we did not have time to properly analyze the impact before the Corana-lockdown. The lockdown is expected to last for Switzerland (as for most of Europe) at least until April 20, 2020. In that period we are running as probably most of the other CAs in emergency change only.  

 

Thank you for considering our concerns!

 

With best regards,

 

Nathalie  

 

Nathalie Weiler

CISO

Nathalie.Weiler at swisssign.com <mailto:Nathalie.Weiler at swisssign.com> 

SwissSign Group AG

Sägereistrasse 25

Postfach

CH-8152 Glattbrugg

 

Von: Servercert-wg  <mailto:servercert-wg-bounces at cabforum.org> <servercert-wg-bounces at cabforum.org> Im Auftrag von Neil Dunbar via Servercert-wg
Gesendet: Monday, March 9, 2020 5:39 PM
An: CA/B Forum Server Certificate WG Public Discussion List  <mailto:servercert-wg at cabforum.org> <servercert-wg at cabforum.org>
Betreff: [Servercert-wg] Ballot SC29: System Configuration Management

 

This begins the discussion period for the Ballot SC29: System Configuration Management

[Note: this is the resubmission of Ballot SC20, which did not proceed to a voting phase]

Purpose of Ballot:

 

Two sections of the current NSRs contain requirements for configuration management. Section 1(h) demands a weekly review and Section 3(a) a process to monitor, detect and report on security-related configuration changes.

 

There was consensus in the discussions of the Network Security Subgroup that unauthorized or unintentional configuration changes can introduce high security risks but the current wording allows CAs to comply with s1(h) without noticing such a change for several days. Whether the weekly human reviews have to be performed every 7 days or just once per week is a matter of interpretation but for the discussion of our proposal this is immaterial. The change we are proposing seeks to encourage CAs to rely on continuous monitoring rather than human reviews because alerts created by a continuous monitoring solution can notify a CA by orders of magnitude earlier than a human review i.e. within minutes not within days.

 

The question has been raised (at the Bratislava F2F meeting) as to whether this ballot should also cover OS patching, since that involves installing new packages on top of others. The view of the proposers is an unequivocal “yes” - patched packages from OS vendors should go through a CA change management process, and only those patches which are approved for installation should make their way to production systems.

 

More detailed discussions and considerations can be found in this document, maintained by the NetSec Subgroup: https://docs.google.com/document/d/1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo. <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo&data=02%7C01%7Cnathalie.weiler%40swisssign.com%7Cb790be9914fd4cd4a15408d7c4487358%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C637193687780490335&sdata=sAPzOP4mFmqCccAD8%2F81Mys8s8Af2JKQW9gHD8MDnKw%3D&reserved=0> 


 

[For those unable to view the discussion document, a PDF of the above document is attached to this mail]

 

The following motion has been proposed by Neil Dunbar of TrustCor and endorsed by Tobias Josefowitz of OPERA and Dustin Hollenback of Microsoft.

--- MOTION BEGINS ---

 

This ballot modifies the “Network and Certificate System Security Requirements” based on Version 1.3. A redline against the CA/B Forum repository is found here: 

 

 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fcompare%2F16a5a9b...neildunbar%3A108e555%3Fdiff%3Dsplit&data=02%7C01%7Cnathalie.weiler%40swisssign.com%7Cb790be9914fd4cd4a15408d7c4487358%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C637193687780500291&sdata=xG%2Baa%2BSsedvP7z%2BUum8j6GQx7YoxReKveu%2F3iTs4ORY%3D&reserved=0> https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:108e555?diff=split

(Each CA or Delegated Third Party SHALL)
(...)

 

Insert as new Section 1(h):

 

Ensure that the CA’s security policies encompass a Change Management Process, following the principles of documentation, approval and testing, and to ensure that all changes to Certificate Systems, Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems follow said Change Management Process;

 

Remove from Section 3(a):

 

Implement a Security Support System under the control of CA or Delegated Third Party Trusted Roles that monitors, detects, and reports any security-related configuration change to Certificate Systems;

 

Insert as new Section 3(a):

 

Implement a System under the control of CA or Delegated Third Party that continuously monitors, detects, and alerts personnel to any configuration change to Certificate Systems, Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems unless the change has been authorized through a change management process.  The CA or Delegated Third Party  shall respond to the alert and initiate a plan of action within at most twenty-four (24) hours.

 

--- MOTION ENDS ---

 

This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 2020-03-09 17:00:00 UTC

End Time: 2020-03-16 17:00:00 UTC

Vote for approval (7 days)

Start Time: 2020-03-16 17:00:00 UTC

End Time: 2020-03-23 17:00:00 UTC 

 





_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org> 
http://cabforum.org/mailman/listinfo/servercert-wg

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200323/515bd9f9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8318 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200323/515bd9f9/attachment-0001.p7s>


More information about the Servercert-wg mailing list