[Servercert-wg] Ballot SC40v2: Security Requirements for Air-Gapped CA Systems

Ben Wilson bwilson at mozilla.com
Tue Feb 16 16:54:36 UTC 2021


You both make good points. Let's see if we can improve the wording.

On Tue, Feb 16, 2021 at 9:12 AM Ryan Sleevi via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> That seems like a dangerous workflow. I'm surprised to hear that CAs
> practice it. I'm more familiar with the ceremonies that have you
> transcribe-and-verify.
>
> How do you prevent unwanted things from hitching a ride on the USB stick?
>
> On Tue, Feb 16, 2021 at 7:28 AM Wiedenhorst, Matthias via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> Hi Ben, Hi all,
>>
>>
>>
>> maybe I am misunderstanding, but what is the intended meaning of „with
>> the use of a non-persistent unidirectional mechanism”?
>>
>> As far as I know, it is a common implementation to generate CA keys and a
>> CSR on “Issuing CA HSM”, than transport the CSR to the Offline Root (e.g.
>> by external USB flash drive), create and sign the CA certificate and then
>> export the CA certificate back to the “Issuing CA HSM”.
>>
>> Obviously this involves transport of data to and from the HSM and
>> wouldn’t be unidirectional in my understanding.
>>
>>
>>
>> Best regards
>>
>> Matthias
>>
>>
>>
>> *Von:* Servercert-wg <servercert-wg-bounces at cabforum.org> *Im Auftrag
>> von *Ben Wilson via Servercert-wg
>> *Gesendet:* Montag, 15. Februar 2021 19:38
>> *An:* CA/B Forum Server Certificate WG Public Discussion List <
>> servercert-wg at cabforum.org>
>> *Betreff:* Re: [Servercert-wg] Ballot SC40v2: Security Requirements for
>> Air-Gapped CA Systems
>>
>>
>>
>> All,
>>
>> I intend to end the discussion period for this ballot and move this to
>> the voting period this week. Are there additional comments or changes that
>> must be made?
>>
>> Also, there is a marked-up version of the Network and Certificate Systems
>> Security Requirements for your review here in GitHub:
>> https://github.com/sleevi/cabforum-docs/commit/d80c8ddac79e66cf293847cffd66b113285f5407
>> .
>>
>> Thanks,
>>
>> Ben
>>
>>
>>
>> On Mon, Feb 8, 2021 at 10:02 AM Ben Wilson <bwilson at mozilla.com> wrote:
>>
>> This is a continuation of discussion on the air-gapped CA ballot. (As
>> noted below, this formally continues the discussion for this ballot, as of 2021-02-08
>> 17:00 UTC. This discussion period will continue until initiation of the
>> Voting Period (TBD) unless extended or as otherwise determined, pursuant to
>> the CA/Browser Forum Bylaws.
>>
>>
>>
>> I renumbered the sections -- 5.1 for logical security and 5.2 for
>> physical security.  I have not attempted yet to address the comments
>> between Aaron and Ryan re: accessing the air-gapped CA for checking
>> configuration. Maybe that section needs to remain "as is" or with
>> clarification that a desktop review of CA configuration would be
>> satisfactory if the air-gapped CA has not been physically touched.
>>
>>
>>
>> I have also modified the definition of "Air-Gapped CA System" for
>> discussion purposes as:
>>
>>
>> A system that is (a) kept offline or otherwise air-gapped, (b) physically
>> and logically separated from all other CA systems, and (c) is used by a CA
>> or Delegated Third Party to store and manage CA private keys and to sign CA
>> certificates, CRLs, or OCSP responses.
>>
>> "Kept offline or otherwise air-gapped" means that the CA hardware is
>> powered off, and if powered on, is not connected to any other system at any
>> time. Export of data (e.g. CA public keys, signed CA certificates, CRLs, or
>> OCSP responses) from an Air-Gapped CA System would only occur briefly and
>> temporarily with the use of a non-persistent unidirectional mechanism, such
>> as an external drive or a unidirectional diode or gateway.
>>
>>
>>
>> ------------------
>>
>>
>>
>> *Ballot SC 40v2: Security Requirements for Air-Gapped CA Systems*
>>
>>
>>
>> Purpose of the Ballot:
>>
>>
>>
>> This ballot increases the security of Air-Gapped/Offline CA systems
>> (“Air-Gapped CA Systems”) by clarifying the controls that CAs must
>> implement to protect them.
>>
>>
>>
>> Air-Gapped CA systems are maintained in physically isolated environments,
>> and while they can share certain exterior physical controls with online
>> systems, they are not connected to online systems or the Internet. Thus,
>> they have different operational requirements and controls due to their
>> separate risk profile. While the scope of the current Network and
>> Certificate System Security Requirements includes Air-Gapped CA systems,
>> the document focuses on online systems and contains a number of
>> requirements that are not practical to implement in an offline environment
>> and could increase the risk to offline systems.
>>
>> As an example, access to offline systems frequently elevates the risk to
>> the environment. A quarterly vulnerability scan in the offline environment
>> is not practical, because there is an increased risk involved with
>> attaching a scanning device to an Air-Gapped CA system. As another example,
>> because such systems are not connected, the provisions of subsection 1.g
>> (ports and protocols) are not applicable.
>>
>> This ballot develops a working definition for an “Air-Gapped CA System”
>> to allow for a clear delineation between those system components that fall
>> under this category of Air-Gapped/Offline requirements and those under
>> other requirements. In doing so, the ballot creates two sets of
>> requirements tailored to their respective operating environments and
>> characteristics.
>>
>> Not only does this ballot introduce a new section 5, it also adds
>> additional physical security requirements for air-gapped CAs by requiring
>> video monitoring, intrusion detection, and other intrusion prevention
>> controls to protect Air-Gapped CA Systems against unauthorized physical
>> access attempts.
>>
>>
>>
>> These proposed subsections in a new section 5 come from the current
>> NCSSRs as follows:
>>
>>
>>
>> *Description*
>>
>> *Offline *
>>
>> *Criteria #*
>>
>> *General *
>>
>> *Criteria #*
>>
>> *5.1 Logical Security of Air-Gapped CA Systems*
>>
>> Configuration review
>>
>> 5.1.1
>>
>> 1h
>>
>> Appointing individuals to trusted roles
>>
>> 5.1.2
>>
>> 2a
>>
>> Grant access to Air-Gapped CAs
>>
>> 5.1.3
>>
>> 1i
>>
>> Document responsibilities of Trusted roles
>>
>> 5.1.4
>>
>> 2b
>>
>> Segregation of duties
>>
>> 5.1.5
>>
>> 2d
>>
>> Require least privileged access for Trusted Roles
>>
>> 5.1.6
>>
>> 2e
>>
>> All access tracked to individual account
>>
>> 5.1.7
>>
>> 2f
>>
>> Password requirements
>>
>> 5.1.8
>>
>> 2gi
>>
>> Review logical access
>>
>> 5.1.9
>>
>> 2j
>>
>> Implement multi-factor access
>>
>> 5.1.10
>>
>> 2m
>>
>> Monitor Air-Gapped CA systems
>>
>> 5.1.11
>>
>> 3b
>>
>> Review logging integrity
>>
>> 5.1.12
>>
>> 3e
>>
>> Monitor archive and retention of logs
>>
>> 5.1.13
>>
>> 3f
>>
>> *5.2 Physical Security of Air-Gapped CA Systems*
>>
>> Grant physical access
>>
>> 5.2.1
>>
>> 1i
>>
>> Multi-person physical access
>>
>> 5.2.2
>>
>> 1j
>>
>> Review physical access
>>
>> 5.2.3
>>
>> 2j
>>
>> Video monitoring
>>
>> 5.2.4
>>
>> 3a
>>
>> Physical access monitoring
>>
>> 5.2.5
>>
>> 3a
>>
>> Review accounts with physical access
>>
>> 5.2.6
>>
>> 2j
>>
>> Monitor retention of physical access of records
>>
>> 5.2.7
>>
>> 3f
>>
>> Review integrity of physical access logs
>>
>> 5.2.8
>>
>> 3e
>>
>>
>>
>> This motion is made by Ben Wilson of Mozilla and endorsed by David Kluge
>> of Google Trust Services and Neil Dunbar of TrustCor.
>>
>>
>>
>> --- Motion Begins ---
>>
>>
>>
>> That the CA/Browser Forum Server Certificate Working Group adopt the
>> following requirements as amendments to the Network and Certificate System
>> Security Requirements.
>>
>>
>>
>> Replace 1.c. with "Maintain Root CA Systems in a High Security Zone and
>> as Air-Gapped CA Systems, in accordance with Section 5;"
>>
>> Add definition of "Air-Gapped CA System" as "A system that is (a) kept
>> offline or otherwise air-gapped, (b) physically and logically separated
>> from all other CA systems, and (c) is used by a CA or Delegated Third Party
>> to store and manage CA private keys and to sign CA certificates, CRLs, or
>> OCSP responses. ‘Kept offline or otherwise air-gapped’ means that the CA
>> hardware is powered off, and if powered on, is not connected to any other
>> system at any time. Export of data (e.g. CA public keys, signed CA
>> certificates, CRLs, or OCSP responses) from an Air-Gapped CA System would
>> only occur briefly and temporarily with the use of a non-persistent
>> unidirectional mechanism, such as an external drive or unidirectional diode
>> or gateway."
>>
>> Revise the definition of Security Support System to read:
>>
>> A system used to provide physical and logical security support functions,
>> which MAY include authentication, network boundary control, audit logging,
>> audit log reduction and analysis, vulnerability scanning, and intrusion
>> detection (physical intrusion detection, Host-based intrusion detection,
>> Network-based intrusion detection).
>>
>> Add a new Section 5 -
>>
>> *5. GENERAL PROTECTIONS FOR AIR-GAPPED CA SYSTEMS*
>>
>> This Section 5 separates requirements for Air-Gapped CA Systems into two
>> categories--logical security and physical security.
>>
>> *5.1 Logical Security of Air-Gapped CA Systems*
>>
>> Certification Authorities and Delegated Third Parties SHALL implement the
>> following controls to ensure the logical security of Air-Gapped CA Systems:
>>
>> 1. Review configurations of Air-Gapped CA Systems at least on an annual
>> basis;
>>
>> 2. Follow a documented procedure for appointing individuals to those
>> Trusted Roles that are authorized to operate Air-Gapped CA Systems;
>>
>> 3. Grant logical access to Air-Gapped CA Systems only to persons acting
>> in Trusted Roles and implement controls so that all logical access to
>> Air-Gapped CA Systems can be traced back to an accountable individual;
>>
>> 4. Document the responsibilities assigned to Trusted Roles based on the
>> security principle of multi-person control and the security-related
>> concerns of the functions to be performed;
>>
>> 5. Ensure that an individual in a Trusted Role acts only within the scope
>> of such role when performing administrative tasks assigned to that role;
>>
>> 6. Require employees and contractors to observe the principle of "least
>> privilege" when accessing, or when configuring access privileges on,
>> Air-Gapped CA Systems;
>>
>> 7. Require that all access to systems and offline key material can be
>> traced back to an individual in a Trusted Role (through a combination of
>> recordkeeping, use of logical and physical credentials, authentication
>> factors, video recording, etc.);
>>
>> 8. If an authentication control used by a Trusted Role is a username and
>> password, then, where technically feasible require that passwords have at
>> least twelve (12) characters;
>>
>> 9. Review logical access control lists at least annually and deactivate
>> any accounts that are no longer necessary for operations;
>>
>> 10. Enforce Multi-Factor Authentication OR multi-party authentication for
>> administrator access to Air-Gapped CA Systems;
>>
>> 11. Identify those Air-Gapped CA Systems capable of monitoring and
>> logging system activity and enable those systems to continuously monitor
>> and log system activity. Back up logs to an external system each time the
>> system is used or on a quarterly basis, whichever is less frequent;
>>
>> 12. On a quarterly basis or each time the Air-Gapped CA System is used,
>> whichever is less frequent, check the integrity of the logical access
>> logging processes and ensure that logging and log-integrity functions are
>> effective;
>>
>> 13. On a quarterly basis or each time the Air-Gapped CA System is used,
>> whichever is less frequent, monitor the archival and retention of logical
>> access logs to ensure that logs are retained for the appropriate amount of
>> time in accordance with the disclosed business practices and applicable
>> legislation.
>>
>> *5.2 Physical Security of Air-Gapped CA Systems*
>>
>> Certification Authorities and Delegated Third Parties SHALL implement the
>> following controls to ensure the physical security of Air-Gapped CA Systems:
>>
>> 1. Grant physical access to Air-Gapped CA Systems only to persons acting
>> in Trusted Roles and implement controls so that all physical access to
>> Air-Gapped CA Systems can be traced back to an accountable individual;
>>
>> 2. Ensure that only personnel assigned to Trusted Roles have physical
>> access to Air-Gapped CA Systems and multi-person access controls are
>> enforced at all times;
>>
>> 3. Implement a process that removes physical access of an individual to
>> all Air-Gapped CA Systems within twenty-four (24) hours upon termination of
>> the individual’s employment or contracting relationship with the CA or
>> Delegated Third Party;
>>
>> 4. Implement video monitoring, intrusion detection, and intrusion
>> prevention controls to protect Air-Gapped CA Systems against unauthorized
>> physical access attempts;
>>
>> 5. Implement a Security Support System that monitors, detects, and alerts
>> personnel to any physical access to Air-Gapped CA Systems;
>>
>> 6. Implement a process that prevents physical access of an individual to
>> an Air-Gapped CA within twenty-four (24) hours of removal from the relevant
>> authorized Trusted Role, and review lists of holders of physical keys and
>> combinations to doors and safes as well as logical accounts tied to
>> physical access controls at least every three (3) months, and;
>>
>> 7. On a quarterly basis or each time the Air-Gapped CA System is used,
>> whichever is less frequent, monitor the archival and retention of the
>> physical access logs to ensure that logs are retained for the appropriate
>> amount of time in accordance with the disclosed business practices and
>> applicable legislation.
>>
>> 8. On a quarterly basis or each time the Air-Gapped CA System is used,
>> whichever is less frequent, check the integrity of the physical access
>> logging processes and ensure that logging and log-integrity functions are
>> effective.
>>
>>
>>
>> --- Motion Ends ---
>>
>>
>>
>> Discussion Period -
>>
>>
>>
>> This ballot proposes a Final Maintenance Guideline.
>>
>>
>>
>> The procedure for approval of this ballot is as follows:
>>
>>
>>
>> Discussion (7+ days)
>>
>> Start Time: 2021-02-08 17:00 UTC
>>
>> End Time: TBD (not before 2021-02-09 17:00 UTC
>>
>>
>>
>> Vote for approval (7 days)
>>
>> Start Time: TBD
>>
>> End Time: TBD
>>
>>
>>
>> *______________________________________________________________________________________________________________________**Sitz der Gesellschaft/Headquarter:* TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany*Registergericht/Register Court:* Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251*Geschäftsführung/Management Board:* Dirk Kretzschmar
>>
>>
>> *TÜV NORD GROUP*Expertise for your Success
>>
>> *Please visit our website: www.tuv-nord.com <http://www.tuv-nord.com>
>> Besuchen Sie unseren Internetauftritt: www.tuev-nord.de <http://www.tuev-nord.de>*
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210216/b4cca6ff/attachment-0001.html>


More information about the Servercert-wg mailing list