[Servercert-wg] Ballot SC40v2: Security Requirements for Air-Gapped CA Systems
Ryan Sleevi
sleevi at google.com
Tue Feb 16 16:12:05 UTC 2021
That seems like a dangerous workflow. I'm surprised to hear that CAs
practice it. I'm more familiar with the ceremonies that have you
transcribe-and-verify.
How do you prevent unwanted things from hitching a ride on the USB stick?
On Tue, Feb 16, 2021 at 7:28 AM Wiedenhorst, Matthias via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Hi Ben, Hi all,
>
>
>
> maybe I am misunderstanding, but what is the intended meaning of „with the
> use of a non-persistent unidirectional mechanism”?
>
> As far as I know, it is a common implementation to generate CA keys and a
> CSR on “Issuing CA HSM”, than transport the CSR to the Offline Root (e.g.
> by external USB flash drive), create and sign the CA certificate and then
> export the CA certificate back to the “Issuing CA HSM”.
>
> Obviously this involves transport of data to and from the HSM and wouldn’t
> be unidirectional in my understanding.
>
>
>
> Best regards
>
> Matthias
>
>
>
> *Von:* Servercert-wg <servercert-wg-bounces at cabforum.org> *Im Auftrag von
> *Ben Wilson via Servercert-wg
> *Gesendet:* Montag, 15. Februar 2021 19:38
> *An:* CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Betreff:* Re: [Servercert-wg] Ballot SC40v2: Security Requirements for
> Air-Gapped CA Systems
>
>
>
> All,
>
> I intend to end the discussion period for this ballot and move this to the
> voting period this week. Are there additional comments or changes that must
> be made?
>
> Also, there is a marked-up version of the Network and Certificate Systems
> Security Requirements for your review here in GitHub:
> https://github.com/sleevi/cabforum-docs/commit/d80c8ddac79e66cf293847cffd66b113285f5407
> .
>
> Thanks,
>
> Ben
>
>
>
> On Mon, Feb 8, 2021 at 10:02 AM Ben Wilson <bwilson at mozilla.com> wrote:
>
> This is a continuation of discussion on the air-gapped CA ballot. (As
> noted below, this formally continues the discussion for this ballot, as of 2021-02-08
> 17:00 UTC. This discussion period will continue until initiation of the
> Voting Period (TBD) unless extended or as otherwise determined, pursuant to
> the CA/Browser Forum Bylaws.
>
>
>
> I renumbered the sections -- 5.1 for logical security and 5.2 for physical
> security. I have not attempted yet to address the comments between Aaron
> and Ryan re: accessing the air-gapped CA for checking configuration. Maybe
> that section needs to remain "as is" or with clarification that a desktop
> review of CA configuration would be satisfactory if the air-gapped CA has
> not been physically touched.
>
>
>
> I have also modified the definition of "Air-Gapped CA System" for
> discussion purposes as:
>
>
> A system that is (a) kept offline or otherwise air-gapped, (b) physically
> and logically separated from all other CA systems, and (c) is used by a CA
> or Delegated Third Party to store and manage CA private keys and to sign CA
> certificates, CRLs, or OCSP responses.
>
> "Kept offline or otherwise air-gapped" means that the CA hardware is
> powered off, and if powered on, is not connected to any other system at any
> time. Export of data (e.g. CA public keys, signed CA certificates, CRLs, or
> OCSP responses) from an Air-Gapped CA System would only occur briefly and
> temporarily with the use of a non-persistent unidirectional mechanism, such
> as an external drive or a unidirectional diode or gateway.
>
>
>
> ------------------
>
>
>
> *Ballot SC 40v2: Security Requirements for Air-Gapped CA Systems*
>
>
>
> Purpose of the Ballot:
>
>
>
> This ballot increases the security of Air-Gapped/Offline CA systems
> (“Air-Gapped CA Systems”) by clarifying the controls that CAs must
> implement to protect them.
>
>
>
> Air-Gapped CA systems are maintained in physically isolated environments,
> and while they can share certain exterior physical controls with online
> systems, they are not connected to online systems or the Internet. Thus,
> they have different operational requirements and controls due to their
> separate risk profile. While the scope of the current Network and
> Certificate System Security Requirements includes Air-Gapped CA systems,
> the document focuses on online systems and contains a number of
> requirements that are not practical to implement in an offline environment
> and could increase the risk to offline systems.
>
> As an example, access to offline systems frequently elevates the risk to
> the environment. A quarterly vulnerability scan in the offline environment
> is not practical, because there is an increased risk involved with
> attaching a scanning device to an Air-Gapped CA system. As another example,
> because such systems are not connected, the provisions of subsection 1.g
> (ports and protocols) are not applicable.
>
> This ballot develops a working definition for an “Air-Gapped CA System” to
> allow for a clear delineation between those system components that fall
> under this category of Air-Gapped/Offline requirements and those under
> other requirements. In doing so, the ballot creates two sets of
> requirements tailored to their respective operating environments and
> characteristics.
>
> Not only does this ballot introduce a new section 5, it also adds
> additional physical security requirements for air-gapped CAs by requiring
> video monitoring, intrusion detection, and other intrusion prevention
> controls to protect Air-Gapped CA Systems against unauthorized physical
> access attempts.
>
>
>
> These proposed subsections in a new section 5 come from the current NCSSRs
> as follows:
>
>
>
> *Description*
>
> *Offline *
>
> *Criteria #*
>
> *General *
>
> *Criteria #*
>
> *5.1 Logical Security of Air-Gapped CA Systems*
>
> Configuration review
>
> 5.1.1
>
> 1h
>
> Appointing individuals to trusted roles
>
> 5.1.2
>
> 2a
>
> Grant access to Air-Gapped CAs
>
> 5.1.3
>
> 1i
>
> Document responsibilities of Trusted roles
>
> 5.1.4
>
> 2b
>
> Segregation of duties
>
> 5.1.5
>
> 2d
>
> Require least privileged access for Trusted Roles
>
> 5.1.6
>
> 2e
>
> All access tracked to individual account
>
> 5.1.7
>
> 2f
>
> Password requirements
>
> 5.1.8
>
> 2gi
>
> Review logical access
>
> 5.1.9
>
> 2j
>
> Implement multi-factor access
>
> 5.1.10
>
> 2m
>
> Monitor Air-Gapped CA systems
>
> 5.1.11
>
> 3b
>
> Review logging integrity
>
> 5.1.12
>
> 3e
>
> Monitor archive and retention of logs
>
> 5.1.13
>
> 3f
>
> *5.2 Physical Security of Air-Gapped CA Systems*
>
> Grant physical access
>
> 5.2.1
>
> 1i
>
> Multi-person physical access
>
> 5.2.2
>
> 1j
>
> Review physical access
>
> 5.2.3
>
> 2j
>
> Video monitoring
>
> 5.2.4
>
> 3a
>
> Physical access monitoring
>
> 5.2.5
>
> 3a
>
> Review accounts with physical access
>
> 5.2.6
>
> 2j
>
> Monitor retention of physical access of records
>
> 5.2.7
>
> 3f
>
> Review integrity of physical access logs
>
> 5.2.8
>
> 3e
>
>
>
> This motion is made by Ben Wilson of Mozilla and endorsed by David Kluge
> of Google Trust Services and Neil Dunbar of TrustCor.
>
>
>
> --- Motion Begins ---
>
>
>
> That the CA/Browser Forum Server Certificate Working Group adopt the
> following requirements as amendments to the Network and Certificate System
> Security Requirements.
>
>
>
> Replace 1.c. with "Maintain Root CA Systems in a High Security Zone and as
> Air-Gapped CA Systems, in accordance with Section 5;"
>
> Add definition of "Air-Gapped CA System" as "A system that is (a) kept
> offline or otherwise air-gapped, (b) physically and logically separated
> from all other CA systems, and (c) is used by a CA or Delegated Third Party
> to store and manage CA private keys and to sign CA certificates, CRLs, or
> OCSP responses. ‘Kept offline or otherwise air-gapped’ means that the CA
> hardware is powered off, and if powered on, is not connected to any other
> system at any time. Export of data (e.g. CA public keys, signed CA
> certificates, CRLs, or OCSP responses) from an Air-Gapped CA System would
> only occur briefly and temporarily with the use of a non-persistent
> unidirectional mechanism, such as an external drive or unidirectional diode
> or gateway."
>
> Revise the definition of Security Support System to read:
>
> A system used to provide physical and logical security support functions,
> which MAY include authentication, network boundary control, audit logging,
> audit log reduction and analysis, vulnerability scanning, and intrusion
> detection (physical intrusion detection, Host-based intrusion detection,
> Network-based intrusion detection).
>
> Add a new Section 5 -
>
> *5. GENERAL PROTECTIONS FOR AIR-GAPPED CA SYSTEMS*
>
> This Section 5 separates requirements for Air-Gapped CA Systems into two
> categories--logical security and physical security.
>
> *5.1 Logical Security of Air-Gapped CA Systems*
>
> Certification Authorities and Delegated Third Parties SHALL implement the
> following controls to ensure the logical security of Air-Gapped CA Systems:
>
> 1. Review configurations of Air-Gapped CA Systems at least on an annual
> basis;
>
> 2. Follow a documented procedure for appointing individuals to those
> Trusted Roles that are authorized to operate Air-Gapped CA Systems;
>
> 3. Grant logical access to Air-Gapped CA Systems only to persons acting in
> Trusted Roles and implement controls so that all logical access to
> Air-Gapped CA Systems can be traced back to an accountable individual;
>
> 4. Document the responsibilities assigned to Trusted Roles based on the
> security principle of multi-person control and the security-related
> concerns of the functions to be performed;
>
> 5. Ensure that an individual in a Trusted Role acts only within the scope
> of such role when performing administrative tasks assigned to that role;
>
> 6. Require employees and contractors to observe the principle of "least
> privilege" when accessing, or when configuring access privileges on,
> Air-Gapped CA Systems;
>
> 7. Require that all access to systems and offline key material can be
> traced back to an individual in a Trusted Role (through a combination of
> recordkeeping, use of logical and physical credentials, authentication
> factors, video recording, etc.);
>
> 8. If an authentication control used by a Trusted Role is a username and
> password, then, where technically feasible require that passwords have at
> least twelve (12) characters;
>
> 9. Review logical access control lists at least annually and deactivate
> any accounts that are no longer necessary for operations;
>
> 10. Enforce Multi-Factor Authentication OR multi-party authentication for
> administrator access to Air-Gapped CA Systems;
>
> 11. Identify those Air-Gapped CA Systems capable of monitoring and logging
> system activity and enable those systems to continuously monitor and log
> system activity. Back up logs to an external system each time the system is
> used or on a quarterly basis, whichever is less frequent;
>
> 12. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, check the integrity of the logical access
> logging processes and ensure that logging and log-integrity functions are
> effective;
>
> 13. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, monitor the archival and retention of logical
> access logs to ensure that logs are retained for the appropriate amount of
> time in accordance with the disclosed business practices and applicable
> legislation.
>
> *5.2 Physical Security of Air-Gapped CA Systems*
>
> Certification Authorities and Delegated Third Parties SHALL implement the
> following controls to ensure the physical security of Air-Gapped CA Systems:
>
> 1. Grant physical access to Air-Gapped CA Systems only to persons acting
> in Trusted Roles and implement controls so that all physical access to
> Air-Gapped CA Systems can be traced back to an accountable individual;
>
> 2. Ensure that only personnel assigned to Trusted Roles have physical
> access to Air-Gapped CA Systems and multi-person access controls are
> enforced at all times;
>
> 3. Implement a process that removes physical access of an individual to
> all Air-Gapped CA Systems within twenty-four (24) hours upon termination of
> the individual’s employment or contracting relationship with the CA or
> Delegated Third Party;
>
> 4. Implement video monitoring, intrusion detection, and intrusion
> prevention controls to protect Air-Gapped CA Systems against unauthorized
> physical access attempts;
>
> 5. Implement a Security Support System that monitors, detects, and alerts
> personnel to any physical access to Air-Gapped CA Systems;
>
> 6. Implement a process that prevents physical access of an individual to
> an Air-Gapped CA within twenty-four (24) hours of removal from the relevant
> authorized Trusted Role, and review lists of holders of physical keys and
> combinations to doors and safes as well as logical accounts tied to
> physical access controls at least every three (3) months, and;
>
> 7. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, monitor the archival and retention of the
> physical access logs to ensure that logs are retained for the appropriate
> amount of time in accordance with the disclosed business practices and
> applicable legislation.
>
> 8. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, check the integrity of the physical access
> logging processes and ensure that logging and log-integrity functions are
> effective.
>
>
>
> --- Motion Ends ---
>
>
>
> Discussion Period -
>
>
>
> This ballot proposes a Final Maintenance Guideline.
>
>
>
> The procedure for approval of this ballot is as follows:
>
>
>
> Discussion (7+ days)
>
> Start Time: 2021-02-08 17:00 UTC
>
> End Time: TBD (not before 2021-02-09 17:00 UTC
>
>
>
> Vote for approval (7 days)
>
> Start Time: TBD
>
> End Time: TBD
>
>
>
> *______________________________________________________________________________________________________________________**Sitz der Gesellschaft/Headquarter:* TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany*Registergericht/Register Court:* Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251*Geschäftsführung/Management Board:* Dirk Kretzschmar
>
>
> *TÜV NORD GROUP*Expertise for your Success
>
> *Please visit our website: www.tuv-nord.com <http://www.tuv-nord.com>
> Besuchen Sie unseren Internetauftritt: www.tuev-nord.de <http://www.tuev-nord.de>*
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210216/1f18acf3/attachment-0001.html>
More information about the Servercert-wg
mailing list