[Servercert-wg] Ballot SC40v3: Security Requirements for Air-Gapped CA Systems

Wendy Brown - QT3LB-C wendy.brown at gsa.gov
Mon Mar 8 17:43:48 UTC 2021

no - I am suggesting in both cases these configurations are for offline CAs
but seem to contradict the first clause of the proposed definition: A
system that is (a) physically and logically separated from all other CA
1) an OFFLINE & Air-gapped CA that uses a network HSM - BOTH the CA server
& the HSM are only connected to each other and both powered off,
except when needed to be powered on to do some function like sign or
revoke a cert or issue a CRL
2) again hardware dedicated only to the operation of OFFLINE & Air-gapped
CAs, but potentially hosting multiple offline/Air-gapped CAs on the same
hardware, operated by the same trusted roles - not co-mingling with
anything considered online or connected to any supporting systems that have
to be online


Wendy Brown
Supporting GSA FPKI
Protiviti Government Services

 703-965-2990 (cell)

wendy.brown at gsa.gov
wendy.brown at protiviti.com

On Mon, Mar 8, 2021 at 12:19 PM Ryan Sleevi <sleevi at google.com> wrote:

> On Mon, Mar 8, 2021 at 9:07 AM Wendy Brown - QT3LB-C via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>> I'm not sure I agree with the first clause of the definition:  A system
>> that is (a) physically and logically separated from all other CA systems
>> for 2 reasons:
>> 1) if the CA uses an HSM server, it should be able to be connected to the
>> HSM when turned on as long as the HSM is powered off when the CA is and not
>> connected to any other systems
> When would this scenario be used? It seems somewhat dangerous - for
> example, if the CA system is considered online, but the HSM considered
> offline (even though physically connected, simply powered off), it seems
> like there's new threat models to consider (e.g. if the CA system can send
> a WoL packet to wake up the HSM system). So I'm trying to understand a bit
> more about what scenario this would be useful for, since it sounds like
> there's concern that the proposed language would prevent that scenario, to
> figure out how to resolve that.
>> 2) Why would it not be reasonable to have the same hardware host VMs for
>> multiple offline CAs all operated by the same trusted roles? Or some CA
>> software can support multiple CAs (such as Red Hat, Unicert, and
>> PrimeKey/EJBCA).  Multiple CAs running on the same platform, that is
>> offline, should be considered offline, even though they are not physically
>> separate from each other.
> I'm not sure I understand this second point. Are you suggesting that a CA
> running on such a system could have one CA configuration offline, and
> another CA configuration online? Or one CA configuration that is considered
> airgapped running on the same machine/software as another CA configuration
> that is not?
> Neither of those sound like good things to me, and I don't think it'd be
> what you'd be suggesting. I *think* in such scenarios we want the same
> outcome: namely, if you bring such a system online (whether a device with
> multiple VMs or a server instance with multiple CAs), the point at which
> *one* is online should be considered the point in which *all* are online,
> and the same obligations occur regarding configuration state expectations.
> Is that a correct understanding?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210308/eec97178/attachment.html>

More information about the Servercert-wg mailing list