[Servercert-wg] "Zones" Language in the NetSec Requirements

Ben Wilson bwilson at mozilla.com
Tue Sep 14 20:55:04 UTC 2021


Today in the NetSec subgroup we discussed use of the term "zone" in the
NCSSRs. Previous efforts on this topic have included an abandoned Ballot
SC32 (see e.g.
and other drafts in which we have explored the differentiation between
logical security and physical security.

The NetSec subgroup is again working on the "zones" language and efforts to
delineate the two concepts (logical and physical), but first we want to see
where we might have disagreement, gaps in understanding, or lack of clarity
on the issues and concerns. Thus, the NetSec subgroup is considering
proposing the following as a replacement to section 1.e of the NCSSRs -

"Implement and configure Security Support Systems that protect
communications between Certificate Systems and non‐Certificate Systems
(i.e. public networks and organizational business units that do not provide
PKI‐related services);"

For additional reference, the definition of “Security Support System” would
be slightly amended to read, “A system used to provide physical or logical
security support functions, which MAY include authentication, network
boundary control, audit logging, audit log reduction and analysis,
vulnerability scanning, and intrusion detection (physical intrusion
detection, Host‐based intrusion detection, or Network‐based intrusion
And, for comparison, the current language in section 1.e is, "Implement and
configure Security Support Systems that protect systems and communications
between systems inside Secure Zones and High Security Zones, and
communications with non‐Certificate Systems outside those zones (including
those with organizational business units that do not provide PKI‐related
services) and those on public networks;".

With your input, we can move forward with looking at other places in the
NCSSRs where logical and physical security are not distinguished and where
the term "zone" is used.

Thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210914/2da12215/attachment.html>

More information about the Servercert-wg mailing list