[Servercert-wg] Ballot SCXX: Security Requirements for Air-Gapped CA Systems

Wed Jan 13 00:15:03 UTC 2021

Ben,

On Mon, Jan 11, 2021 at 10:30 AM Ben Wilson <bwilson at mozilla.com> wrote:

>
>
> u. Review all system accounts on physical access control lists at least
>>>>>>> every three (3) months and deactivate any accounts that are no longer
>>>>>>> necessary for operations;
>>>>>>>
>>>>>>
>>>>>> What does "system accounts on physical access control lists" mean?
>>>>>> Are we talking about logical access to physical security systems?
>>>>>>
>>>>>
>>>>> This provision comes from subsection 2.j., which reads “Review all
>>>>> system accounts at least every three (3) months and deactivate any accounts
>>>>> that are no longer necessary for operations”.
>>>>>
>>>>> This issue/question is related to 5.t., above. Many physical access
>>>>> controls have logical access controls. An example of a physical access
>>>>> control list is the configuration of a badge lock that controls access to
>>>>> the rooms in which the Air-Gapped systems are located. So, “yes” to your
>>>>> second question.  Logical accounts that are tied into physical access
>>>>> controls would be included in this requirement.
>>>>>
>>>>
>>>> I agree with the intent, but I think the language could be clearer. I
>>>> also wonder if we need to exclude systems that are not online. For example,
>>>> is it necessary to access the physical environment where the air-gapped CA
>>>> systems are stored every 3 months to review the access control list on an
>>>> electronic safe that implements per-user pin codes?
>>>>
>>>> Because this is really about physical security, what if we re-wrote
>>> this to say something like, "Review all physical access lists at least
>>> every three (3) months, including lists of holders of physical keys and
>>> combinations to doors and safes as well as logical accounts tied to
>>> physical access controls, to ensure that only authorized individuals have
>>> physical access to Air-Gapped CA Systems." ?
>>>
>>>
>> I think this language is clearer, but I'm still concerned that it could
>> imply the need to travel to and access all locations where CA materials are
>> stored to perform this "review". Is the intent for CAs to review readily
>> accessible information - such as online access control system account
>> configurations and documentation of offline device access configurations
>> (e.g. a list of the Trusted Personnel who hold safe keys or combinations)?
>> If so, I'd like to find a clearer way to distinguish that from a
>> requirement that would involve physical access to the device every 3 months
>> (e.g. connecting to an electronic safe or offline HSM to review the actual
>> device configuration).
>>
>
> Not only does this subsection u. need to require the 3-month review of
> access lists, but it also needs to require immediate removal of physical
> access for anyone no longer authorized, similar to section 2.l.  Currently,
> the draft language is as follows:
>
> u. Implement a process that removes all physical access of an individual
> to an Air-Gapped CA within twenty-four (24) hours of removal from the
> relevant authorized Trusted Role, and review lists of holders of physical
> keys and combinations to doors and safes as well as logical accounts tied
> to physical access controls at least every three (3) months, and;
>
>
I propose a small change that I find to be clearer and less problematic
than the current language:

u. Implement a process that prevents physical access of an individual to an
Air-Gapped CA within twenty-four (24) hours of removal from the relevant
authorized Trusted Role, and review lists of holders of physical keys and
combinations to doors and safes as well as logical accounts tied to
physical access controls at least every three (3) months, and;

Thanks,

Wayne

I would like to move this ballot into the discussion period soon and get
> the entire ballot passed, despite the need to smooth out its rough edges.
> Nonetheless, I really want to improve this language to the extent we can
> during this round of changes. So, if anyone has suggestions on how to this
> language in u. can be improved, please let us know. As you can see, some
> action needs to be taken if it is discovered, during a three-month review,
> that physical access had not been timely removed for an individual.
>
> Thanks,
> Ben
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210112/47785486/attachment.html>