[Servercert-wg] Ballot SC40v3: Security Requirements for Air-Gapped CA Systems

Ryan Sleevi sleevi at google.com
Mon Mar 8 17:18:32 UTC 2021

On Mon, Mar 8, 2021 at 9:07 AM Wendy Brown - QT3LB-C via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> I'm not sure I agree with the first clause of the definition:  A system
> that is (a) physically and logically separated from all other CA systems
> for 2 reasons:
> 1) if the CA uses an HSM server, it should be able to be connected to the
> HSM when turned on as long as the HSM is powered off when the CA is and not
> connected to any other systems

When would this scenario be used? It seems somewhat dangerous - for
example, if the CA system is considered online, but the HSM considered
offline (even though physically connected, simply powered off), it seems
like there's new threat models to consider (e.g. if the CA system can send
a WoL packet to wake up the HSM system). So I'm trying to understand a bit
more about what scenario this would be useful for, since it sounds like
there's concern that the proposed language would prevent that scenario, to
figure out how to resolve that.

> 2) Why would it not be reasonable to have the same hardware host VMs for
> multiple offline CAs all operated by the same trusted roles? Or some CA
> software can support multiple CAs (such as Red Hat, Unicert, and
> PrimeKey/EJBCA).  Multiple CAs running on the same platform, that is
> offline, should be considered offline, even though they are not physically
> separate from each other.

I'm not sure I understand this second point. Are you suggesting that a CA
running on such a system could have one CA configuration offline, and
another CA configuration online? Or one CA configuration that is considered
airgapped running on the same machine/software as another CA configuration
that is not?

Neither of those sound like good things to me, and I don't think it'd be
what you'd be suggesting. I *think* in such scenarios we want the same
outcome: namely, if you bring such a system online (whether a device with
multiple VMs or a server instance with multiple CAs), the point at which
*one* is online should be considered the point in which *all* are online,
and the same obligations occur regarding configuration state expectations.
Is that a correct understanding?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210308/15e89fb9/attachment.html>

More information about the Servercert-wg mailing list