[Servercert-wg] Voting Begins: Ballot SC29v3: System Configuration Management

Wed May 6 10:17:19 MST 2020

Firmaprofesional  votes YES on ballot SC29 v3.

*Chema López*

Director Área Innovación, Cumplimiento y Tecnología

+34 666 429 224

*Barcelona  *Av. Torre Blanca 57, Edif. Esadecreapolis, Local 3B6 - 08173
Sant Cugat del Vallès | +34 934 774 245

*Madrid  *C/ Velázquez 59, 1º Ctro-Izda. - 28001 Madrid | +34 915 762 181

www.firmaprofesional.com

*El contenido de este correo electrónico y de sus anexos es confidencial.
Si usted recibe este mensaje por error, debe saber que está prohibido hacer
uso, divulgación y/o copia del mismo. En tal caso le agradeceríamos que
advierta de inmediato a su remitente y que proceda a destruir el mensaje.*

*Le informamos que, cumpliendo la normativa en materia de protección de
datos, FIRMAPROFESIONAL tratará sus datos con la finalidad de garantizar
las relaciones con la empresa, entidad u organización a la que usted
representa o en la que trabaja y por el período que dure dicha
relación. Podrá ejercer sus derechos de acceso, rectificación, supresión,
limitación, portabilidad y oposición al tratamiento ante el Responsable:
FIRMAPROFESIONAL, S.A., Av. Torre Blanca, 57, local 3B6 (Edificio
Esadecreapolis), 08173 Sant Cugat del Vallès (Barcelona), o bien mediante
correo electrónico a: rgpd at firmaprofesional.com
<rgpd at firmaprofesional.com>, en cualquier caso adjuntando una copia de su
D.N.I. o documento equivalente. Asimismo, podrá formular reclamaciones ante
la Agencia Española de Protección de Datos. Para más información puede
consultar nuestra política de privacidad
<https://www.firmaprofesional.com/esp/aviso-legal>.*

>
>
>
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> *On Behalf Of *Neil
> Dunbar via Servercert-wg
> *Sent:* Thursday, April 30, 2020 10:15 AM
> *To:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject:* [Servercert-wg] Voting Begins: Ballot SC29v3: System
> Configuration Management
>
>
>
> This begins the voting period for the Ballot SC29v3: System Configuration
> Management
>
> Having consulted on-list to see if the voluntary moratorium on changes was
> over, I got no objection to proceeding with voting on this ballot, so here
> it is.
>
> Purpose of Ballot:
>
>
>
> Two sections of the current NSRs contain requirements for configuration
> management. Section 1(h) demands a weekly review and Section 3(a) a process
> to monitor, detect and report on security-related configuration changes.
>
>
>
> There was consensus in the discussions of the Network Security Subgroup
> that unauthorized or unintentional configuration changes can introduce high
> security risks but the current wording allows CAs to comply with s1(h)
> without noticing such a change for several days. Whether the weekly human
> reviews have to be performed every 7 days or just once per week is a matter
> of interpretation but for the discussion of our proposal this is
> immaterial. The change we are proposing seeks to encourage CAs to rely on
> continuous monitoring rather than human reviews because alerts created by a
> continuous monitoring solution can notify a CA by orders of magnitude
> earlier than a human review i.e. within minutes not within days.
>
> To answer the question as to whether automated patching via defined
> software vendor repositories is allowed: the answer is YES - this is
> allowed by the text of the ballot. The proposers and seconders publish no
> judgement on the desirability of such a process, but if it defined and
> documented per the terms of the ballot, such a process does not contravene
> the text of this ballot.
>
> The GitHub redline is:
> https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:aefc8ad?diff=split
> <https://scanmail.trustwave.com/?c=4062&d=iN2q3vhrsLolL8aeRAbgbm5r4g13gWMJCXyQ3Yt0OQ&s=5&u=https%3a%2f%2fgithub%2ecom%2fcabforum%2fdocuments%2fcompare%2f16a5a9b%2e%2e%2eneildunbar%3aaefc8ad%3fdiff%3dsplit>
>
> Regards,
>
> Neil
>
> --- MOTION BEGINS ---
>
> This ballot modifies the “Network and Certificate System Security
> Requirements” based on Version 1.3.
>
> (Each CA or Delegated Third Party SHALL)
> (...)
>
> Insert as new Section 1(h)
>
> Ensure that the CA’s security policies encompass a change management
> process, following the principles of documentation, approval and review,
> and to ensure that all changes to Certificate Systems, Issuing Systems,
> Certificate Management Systems, Security Support Systems, and Front-End /
> Internal-Support Systems follow said change management process;
>
> Remove from Section 3(a)
>
> Implement a Security Support System under the control of CA or Delegated
> Third Party Trusted Roles that monitors, detects, and reports any
> security-related configuration change to Certificate Systems;
>
> Insert as new Section 3(a)
>
> Implement a System under the control of CA or Delegated Third Party that
> continuously monitors, detects, and alerts personnel to any modification to
> Certificate Systems, Issuing Systems, Certificate Management Systems,
> Security Support Systems, and Front-End / Internal-Support Systems unless
> the change has been authorized through a change management process.  The CA
> or Delegated Third Party shall respond to the alert and initiate a plan of
> action within at most twenty-four (24) hours.
>
> Effective date
>
> The changes introduced by this Ballot take effect on 1 November 2020.
> Earlier adoption is permitted.
>
> --- MOTION ENDS ---
>
> This ballot proposes a Final Maintenance Guideline.
>
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2020-04-14 17:00:00 UTC
>
> End Time: 2020-04-30 17:00:00 UTC
>
> Vote for approval (7 days)
>
>
>
> Start Time: 2020-04-30 17:00:00 UTC
>
>
>
> End Time: 2020-05-07 17:00:00 UTC
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200506/59c64748/attachment-0001.html>