[Servercert-wg] Ballot SC40: Security Requirements for Air-Gapped CA Systems
Aaron Gable
aaron at letsencrypt.org
Thu Feb 4 00:31:32 UTC 2021
Indeed! But to achieve that end, it could be phrased in the same manner as
5l and 5m: requiring that configuration be reviewed when (or more strictly,
immediately prior to when) the air-gapped system is used, or on a yearly
basis, whichever is less frequent.
On Wed, Feb 3, 2021 at 12:51 PM Ryan Sleevi <sleevi at google.com> wrote:
>
>
> On Wed, Feb 3, 2021 at 3:46 PM Aaron Gable via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> Thanks! Just one questions on specifics:
>>
>> > 5a. Review configurations of Air-Gapped CA Systems at least on an
>> annual basis;
>>
>> Regular review of configuration of air-gapped systems seems good, but
>> this sounds like it requires CAs to retrieve and turn on air-gapped systems
>> which would otherwise be able to remain untouched. Is there another form of
>> configuration review which does not require access to the system itself
>> that is intended here?
>>
>
> How would you know they had indeed actually otherwise remained untouched?
> :)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210203/5e494367/attachment.html>
More information about the Servercert-wg
mailing list