[Servercert-wg] Ballot SCXX: Security Requirements for Air-Gapped CA Systems

Ben Wilson bwilson at mozilla.com
Thu Nov 19 15:09:12 MST 2020 

Thanks, Wayne. There are some good questions here. I will take them back
and review them with the Document Restructuring subgroup that prepared the
ballot.

On Wed, Nov 18, 2020 at 9:00 AM Wayne Thayer <wthayer at gmail.com> wrote:

> Ben,
>
> I have some questions about the proposed language.
>
> On Mon, Nov 2, 2020 at 10:19 AM Ben Wilson via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>>
>> 5. GENERAL PROTECTIONS FOR AIR-GAPPED CA SYSTEMS
>>
>> This Section 5 separates requirements for Air-Gapped CA Systems into two
>> categories--logical security and physical security.
>>
>> Logical Security of Air-Gapped CA Systems
>>
>> Certification Authorities and Delegated Third Parties SHALL implement the
>> following controls to ensure the logical security of Air-Gapped CA Systems:
>>
>> a. Review static configurations of Air-Gapped CA Systems at least on an
>> annual basis to determine whether any changes violated the CA’s security
>> policies;
>>
>
> Is "static" necessary here, or would it be clearer just to "review
> configurations"?
>
> The phrase "...to determine whether any changes violated the CA’s security
> policies;" seems unnecessary and a bit confusing (changes to static
> configurations?).
>
>
>> b. Follow a documented procedure for appointing individuals to Trusted
>> Roles on Air-Gapped CA Systems;
>>
>
> A "Trusted Role on a system" doesn't make sense to me. I think the meaning
> here is "...to any Trusted Roles that grant the individual privileges on
> Air-Gapped CA Systems;"
>
> c. Grant logical access to Air-Gapped CA Systems only to persons acting in
>> Trusted Roles and require their accountability for the Air-Gapped CA
>> System's security;
>>
>
> How does a CA "require their accountability"? I'm skeptical that this part
> of the requirement adds value, and it seems better suited for BR section
> 5.3 (Personnel controls).
>
> d. Document the responsibilities and tasks assigned to Trusted Roles and
>> implement "separation of duties" for such Trusted Roles based on the
>> security-related concerns of the functions to be performed;
>>
>
> How is "separation of duties" relevant in the context of Air-Gapped
> systems? In my experience, operations on Air-Gapped systems are performed
> in ceremonies and include multi-party authentication. I'm concerned that
> this requirement could be interpreted as adding requirements that don't fit
> those processes.
>
> e. Ensure that an individual in a Trusted Role acts only within the scope
>> of such role when performing administrative tasks assigned to that role;
>>
>> f. Require employees and contractors to observe the principle of "least
>> privilege" when accessing, or when configuring access privileges on,
>> Air-Gapped CA Systems;
>>
>> g. Require that all access to systems and offline key material can be
>> traced back to an individual in a Trusted Role (through a combination of
>> recordkeeping, use of logical and physical credentials, authentication
>> factors, video recording, etc.);
>>
>> h. If an authentication control used by a Trusted Role is a username and
>> password, then, where technically feasible require that passwords have at
>> least twelve (12) characters;
>>
>> i. Review logical access control lists at least annually and deactivate
>> any accounts that are no longer necessary for operations;
>>
>> j. Enforce Multi-Factor Authentication OR multi-party authentication for
>> administrator access to Air-Gapped CA Systems;
>>
>> k. Identify those Air-Gapped CA Systems capable of monitoring and logging
>> system activity and enable those systems to continuously monitor and log
>> system activity. Back up logs to an external system each time the system is
>> used or on a quarterly basis, whichever is less frequent;
>>
>> l. On a quarterly basis or each time the Air-Gapped CA System is used,
>> whichever is less frequent, check the integrity of the logical access
>> logging processes and ensure that logging and log-integrity functions are
>> effective;
>>
>> m. On a quarterly basis or each time the Air-Gapped CA System is used,
>> whichever is less frequent, monitor the archival and retention of logical
>> access logs to ensure that logs are retained for the appropriate amount of
>> time in accordance with the disclosed business practices and applicable
>> legislation.
>>
>> n. Reserved for future use
>>
>> o. Reserved for future use
>>
>> Physical Security of Air-Gapped CA Systems
>>
>> Certification Authorities and Delegated Third Parties SHALL implement the
>> following controls to ensure the physical security of Air-Gapped CA Systems:
>>
>> p. Grant physical access to Air-Gapped CA Systems only to persons acting
>> in Trusted Roles and require their accountability for the Air-Gapped CA
>> System’s security;
>>
>
> Same comment as above on accountability.
>
> q. Ensure that only personnel assigned to Trusted Roles have physical
>> access to Air-Gapped CA Systems and multi-person access controls are
>> enforced at all times;
>>
>> r. Implement a process that removes physical access of an individual to
>> all Air-Gapped CA Systems within twenty four (24) hours upon termination of
>> the individual’s employment or contracting relationship with the CA or
>> Delegated Third Party;
>>
>> s. Implement video monitoring, intrusion detection, and intrusion
>> prevention controls to protect Air-Gapped CA Systems against unauthorized
>> physical access attempts;
>>
>> t. Implement a Security Support System that monitors, detects, and
>> reports any security-related configuration change to the physical access to
>> Air-Gapped CA Systems;
>>
>
> I'm not convinced that the NCSSR definition of Security Support System
> fits here. Would feeding the logs from a physical security system into a
> CA's logging and monitoring pipeline satisfy this requirement?
>
> u. Review all system accounts on physical access control lists at least
>> every three (3) months and deactivate any accounts that are no longer
>> necessary for operations;
>>
>
> What does "system accounts on physical access control lists" mean? Are we
> talking about logical access to physical security systems?
>
> v. On a quarterly basis or each time the Air-Gapped CA System is used,
>> whichever is less frequent, monitor the archival and retention of the
>> physical access logs to ensure that logs are retained for the appropriate
>> amount of time in accordance with the disclosed business practices and
>> applicable legislation.
>>
>> w. On a quarterly basis or each time the Air-Gapped CA System is used,
>> whichever is less frequent, check the integrity of the physical access
>> logging processes and ensure that logging and log-integrity functions are
>> effective.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201119/e3d966f4/attachment.html>

More information about the Servercert-wg mailing list