[Servercert-wg] Voting Begins: Ballot SC29v3: System Configuration Management

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Sun May 3 03:14:16 MST 2020


HARICA votes "yes" to ballot SC29.

On 2020-04-30 5:15 μ.μ., Neil Dunbar via Servercert-wg wrote:
>
> This begins the voting period for the Ballot SC29v3: System 
> Configuration Management
>
> Having consulted on-list to see if the voluntary moratorium on changes 
> was over, I got no objection to proceeding with voting on this ballot, 
> so here it is.
>
> Purpose of Ballot:
>
> Two sections of the current NSRs contain requirements for 
> configuration management. Section 1(h) demands a weekly review and 
> Section 3(a) a process to monitor, detect and report on 
> security-related configuration changes.
>
> There was consensus in the discussions of the Network Security 
> Subgroup that unauthorized or unintentional configuration changes can 
> introduce high security risks but the current wording allows CAs to 
> comply with s1(h) without noticing such a change for several days. 
> Whether the weekly human reviews have to be performed every 7 days or 
> just once per week is a matter of interpretation but for the 
> discussion of our proposal this is immaterial. The change we are 
> proposing seeks to encourage CAs to rely on continuous monitoring 
> rather than human reviews because alerts created by a continuous 
> monitoring solution can notify a CA by orders of magnitude earlier 
> than a human review i.e. within minutes not within days.
>
> To answer the question as to whether automated patching via defined 
> software vendor repositories is allowed: the answer is YES - this is 
> allowed by the text of the ballot. The proposers and seconders publish 
> no judgement on the desirability of such a process, but if it defined 
> and documented per the terms of the ballot, such a process does not 
> contravene the text of this ballot.
>
> The GitHub redline is: 
> https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:aefc8ad?diff=split
>
> Regards,
>
> Neil
>
> *--- MOTION BEGINS ---*
>
> *This ballot modifies the “Network and Certificate System Security 
> Requirements” based on Version 1.3.*
>
> *(Each CA or Delegated Third Party SHALL)
> (...)
> *
>
> *Insert as new Section 1(h)*
>
> *Ensure that the CA’s security policies encompass a change management 
> process, following the principles of documentation, approval and 
> review, and to ensure that all changes to Certificate Systems, Issuing 
> Systems, Certificate Management Systems, Security Support Systems, and 
> Front-End / Internal-Support Systems follow said change management 
> process;*
>
> *Remove from Section 3(a)
> *
>
> *Implement a Security Support System under the control of CA or 
> Delegated Third Party Trusted Roles that monitors, detects, and 
> reports any security-related configuration change to Certificate Systems;*
>
> *Insert as new Section 3(a)*
>
> *Implement a System under the control of CA or Delegated Third Party 
> that continuously monitors, detects, and alerts personnel to any 
> modification to Certificate Systems, Issuing Systems, Certificate 
> Management Systems, Security Support Systems, and Front-End / 
> Internal-Support Systems unless the change has been authorized through 
> a change management process.  The CA or Delegated Third Party shall 
> respond to the alert and initiate a plan of action within at most 
> twenty-four (24) hours.*
>
> *Effective date*
>
> *The changes introduced by this Ballot take effect on 1 November 2020. 
> Earlier adoption is permitted.
> *
>
> *--- MOTION ENDS ---
> *
>
> This ballot proposes a Final Maintenance Guideline.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2020-04-14 17:00:00 UTC
>
> End Time: 2020-04-30 17:00:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 2020-04-30 17:00:00 UTC
>
> End Time: 2020-05-07 17:00:00 UTC
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200503/ac183409/attachment.html>


More information about the Servercert-wg mailing list