[Servercert-wg] Voting Begins: Ballot SC29v3: System Configuration Management

Tue May 5 06:59:03 MST 2020

OISTE votes "yes" to ballot SC29.

> On 30 Apr 2020, at 16:15, Neil Dunbar via Servercert-wg <servercert-wg at cabforum.org> wrote:
> 
> This begins the voting period for the Ballot SC29v3: System Configuration Management
> 
> Having consulted on-list to see if the voluntary moratorium on changes was over, I got no objection to proceeding with voting on this ballot, so here it is.
> 
> Purpose of Ballot:
> 
> Two sections of the current NSRs contain requirements for configuration management. Section 1(h) demands a weekly review and Section 3(a) a process to monitor, detect and report on security-related configuration changes.
> 
> There was consensus in the discussions of the Network Security Subgroup that unauthorized or unintentional configuration changes can introduce high security risks but the current wording allows CAs to comply with s1(h) without noticing such a change for several days. Whether the weekly human reviews have to be performed every 7 days or just once per week is a matter of interpretation but for the discussion of our proposal this is immaterial. The change we are proposing seeks to encourage CAs to rely on continuous monitoring rather than human reviews because alerts created by a continuous monitoring solution can notify a CA by orders of magnitude earlier than a human review i.e. within minutes not within days.
> To answer the question as to whether automated patching via defined software vendor repositories is allowed: the answer is YES - this is allowed by the text of the ballot. The proposers and seconders publish no judgement on the desirability of such a process, but if it defined and documented per the terms of the ballot, such a process does not contravene the text of this ballot.
> 
> The GitHub redline is: https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:aefc8ad?diff=split <https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:aefc8ad?diff=split>
> Regards,
> 
> Neil
> 
> --- MOTION BEGINS ---
> 
> This ballot modifies the “Network and Certificate System Security Requirements” based on Version 1.3.
> 
> (Each CA or Delegated Third Party SHALL)
> (...)
> 
> Insert as new Section 1(h)
> 
> Ensure that the CA’s security policies encompass a change management process, following the principles of documentation, approval and review, and to ensure that all changes to Certificate Systems, Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems follow said change management process;
> 
> Remove from Section 3(a) 
> 
> Implement a Security Support System under the control of CA or Delegated Third Party Trusted Roles that monitors, detects, and reports any security-related configuration change to Certificate Systems;
> 
> Insert as new Section 3(a)
> 
> Implement a System under the control of CA or Delegated Third Party that continuously monitors, detects, and alerts personnel to any modification to Certificate Systems, Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems unless the change has been authorized through a change management process.  The CA or Delegated Third Party shall respond to the alert and initiate a plan of action within at most twenty-four (24) hours.
> 
> Effective date
> 
> The changes introduced by this Ballot take effect on 1 November 2020. Earlier adoption is permitted.
> 
> --- MOTION ENDS ---
> 
> This ballot proposes a Final Maintenance Guideline.
> 
> The procedure for approval of this ballot is as follows:
> 
> Discussion (7+ days)
> 
> Start Time: 2020-04-14 17:00:00 UTC
> 
> End Time: 2020-04-30 17:00:00 UTC
> 
> Vote for approval (7 days)
> 
> Start Time: 2020-04-30 17:00:00 UTC
> 
> End Time: 2020-05-07 17:00:00 UTC
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

WISeKey SA
Pedro Fuentes
CSO - PM eSecurity Solutions
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: 29, Rte de Pré-Bois - CP 853 | Geneva 1215 CH - Switzerland
Stay connected with WISeKey <http://www.wisekey.com/>

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200505/09178a2d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3408 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200505/09178a2d/attachment.p7s>