[Servercert-wg] Voting Begins: Ballot SC29v3: System Configuration Management

Ryan Sleevi sleevi at google.com
Thu May 7 07:15:31 MST 2020 

Google votes YES

While we believe that this is an important useful improvement over the
status quo, we are concerned with the interpretation offered within the
ballot proposal preamble, with respect to whether or not third party
automatic software updates meet the level of baseline expectations of a
publicly trusted CA.

Specifically, we disagree with the viewpoint that automatic software
updates from third party sources can reasonably be suggested to meet the
“principles of documentation, approval and review”. Rather than upholding a
process of “documentation (of the proposed change), approval (of the
proposed change), and review (that the actual change matches the proposed
change)”, such an interpretation instead inverts this flow. The new
sequence is one where there is “approval (of arbitrary changes), review (to
determine what changed), and documentation (of what was changed by a
third-party)”.

Such a change management process is largely indistinguishable from the
current post-facto monitoring.To avoid any confusion that we may support an
interpretation that such automatic updates are allowed, by virtue of our
YES vote, it’s necessary to include this clarification.

As mentioned during the discussions of this ballot, we’re strongly
supportive of practices that enable automation and agility, and there are
readily available solutions to facilitate these goals, while adhering to
these reasonable expectations. Enabling systems like Windows Server Update
Services or locally-maintained package repositories, which facilitate
documentation, approval, and review in an agile way, can help CAs succeed.
Similarly, systems management tools that facilitate automation of patch
installation, but from a CA-managed system and repository, are similar ways
to achieve the same goal.

But however this is achieved, for clarity, our expectation for all CAs
trusted by our software is to implement the process of documentation of
proposed changes, approval of those changes, and review to confirm that
those changes were correctly and accurately made, combined with the
detection of any unauthorized or unexpected changes. Automatic software
updates from third party sources fail to uphold this principle, and thus
are not acceptable for CAs trusted by our software.

On Thu, Apr 30, 2020 at 10:15 AM Neil Dunbar via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> This begins the voting period for the Ballot SC29v3: System Configuration
> Management
>
> Having consulted on-list to see if the voluntary moratorium on changes was
> over, I got no objection to proceeding with voting on this ballot, so here
> it is.
> Purpose of Ballot:
>
> Two sections of the current NSRs contain requirements for configuration
> management. Section 1(h) demands a weekly review and Section 3(a) a process
> to monitor, detect and report on security-related configuration changes.
>
> There was consensus in the discussions of the Network Security Subgroup
> that unauthorized or unintentional configuration changes can introduce high
> security risks but the current wording allows CAs to comply with s1(h)
> without noticing such a change for several days. Whether the weekly human
> reviews have to be performed every 7 days or just once per week is a matter
> of interpretation but for the discussion of our proposal this is
> immaterial. The change we are proposing seeks to encourage CAs to rely on
> continuous monitoring rather than human reviews because alerts created by a
> continuous monitoring solution can notify a CA by orders of magnitude
> earlier than a human review i.e. within minutes not within days.
>
> To answer the question as to whether automated patching via defined
> software vendor repositories is allowed: the answer is YES - this is
> allowed by the text of the ballot. The proposers and seconders publish no
> judgement on the desirability of such a process, but if it defined and
> documented per the terms of the ballot, such a process does not contravene
> the text of this ballot.
>
> The GitHub redline is:
> https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:aefc8ad?diff=split
>
> Regards,
>
> Neil
>
> *--- MOTION BEGINS ---*
>
> *This ballot modifies the “Network and Certificate System Security
> Requirements” based on Version 1.3.*
>
>
>
> *(Each CA or Delegated Third Party SHALL) (...) *
>
> *Insert as new Section 1(h)*
>
> *Ensure that the CA’s security policies encompass a change management
> process, following the principles of documentation, approval and review,
> and to ensure that all changes to Certificate Systems, Issuing Systems,
> Certificate Management Systems, Security Support Systems, and Front-End /
> Internal-Support Systems follow said change management process;*
>
>
> *Remove from Section 3(a) *
>
> *Implement a Security Support System under the control of CA or Delegated
> Third Party Trusted Roles that monitors, detects, and reports any
> security-related configuration change to Certificate Systems;*
>
> *Insert as new Section 3(a)*
>
> *Implement a System under the control of CA or Delegated Third Party that
> continuously monitors, detects, and alerts personnel to any modification to
> Certificate Systems, Issuing Systems, Certificate Management Systems,
> Security Support Systems, and Front-End / Internal-Support Systems unless
> the change has been authorized through a change management process.  The CA
> or Delegated Third Party shall respond to the alert and initiate a plan of
> action within at most twenty-four (24) hours.*
>
> *Effective date*
>
>
> *The changes introduced by this Ballot take effect on 1 November 2020.
> Earlier adoption is permitted. *
>
>
> *--- MOTION ENDS --- *
> This ballot proposes a Final Maintenance Guideline.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2020-04-14 17:00:00 UTC
>
> End Time: 2020-04-30 17:00:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: 2020-04-30 17:00:00 UTC
>
> End Time: 2020-05-07 17:00:00 UTC
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200507/ce02bdce/attachment-0001.html>

More information about the Servercert-wg mailing list