[Servercert-wg] "Zones" Language in the NetSec Requirements

Ryan Sleevi sleevi at google.com
Tue Sep 14 21:06:41 UTC 2021

Hi Ben,

Can you share the risk analysis the NetSec Subcommitee is using to inform
this suggestion? I feel like we've gone in circles on this point, and run
the risk of continuing to do so, but it seems that we can best make
progress here by having a better understanding, and seeing if there is
consensus in, "these are the things that we're worried about preventing,
and these are the things prevented that we think should be allowed"

The change of definition in such a core concept obviously has profound
security impact - potentially hugely positively, or potentially hugely
negative. I'm assuming that such an analysis has already been done, and was
hoping you could share that result.

On Tue, Sep 14, 2021 at 4:55 PM Ben Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> All,
> Today in the NetSec subgroup we discussed use of the term "zone" in the
> NCSSRs. Previous efforts on this topic have included an abandoned Ballot
> SC32 (see e.g.
> https://lists.cabforum.org/pipermail/servercert-wg/2020-June/002033.html),
> and other drafts in which we have explored the differentiation between
> logical security and physical security.
> The NetSec subgroup is again working on the "zones" language and efforts
> to delineate the two concepts (logical and physical), but first we want to
> see where we might have disagreement, gaps in understanding, or lack of clarity
> on the issues and concerns. Thus, the NetSec subgroup is considering
> proposing the following as a replacement to section 1.e of the NCSSRs -
> "Implement and configure Security Support Systems that protect
> communications between Certificate Systems and non‐Certificate Systems
> (i.e. public networks and organizational business units that do not
> provide PKI‐related services);"
> For additional reference, the definition of “Security Support System”
> would be slightly amended to read, “A system used to provide physical or
> logical security support functions, which MAY include authentication,
> network boundary control, audit logging, audit log reduction and analysis,
> vulnerability scanning, and intrusion detection (physical intrusion
> detection, Host‐based intrusion detection, or Network‐based intrusion
> detection).”
> And, for comparison, the current language in section 1.e is, "Implement
> and configure Security Support Systems that protect systems and
> communications between systems inside Secure Zones and High Security Zones,
> and communications with non‐Certificate Systems outside those zones
> (including those with organizational business units that do not provide
> PKI‐related services) and those on public networks;".
> With your input, we can move forward with looking at other places in the
> NCSSRs where logical and physical security are not distinguished and where
> the term "zone" is used.
> Thanks in advance.
> Ben
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210914/d859a3ae/attachment.html>

More information about the Servercert-wg mailing list