[Servercert-wg] "Zones" Language in the NetSec Requirements

Ponds-White, Trevoli trevolip at amazon.com
Wed Sep 15 01:09:27 UTC 2021

Hi Ryan,

Let me see if I can describe the change a different way to see if that helps. This change is intended to clarify by adding more specific language about the requirements and remove words that have inconsistent definitions.

I’ll start with the definitions for “Secure Zone” and “High Security Zone”.

Secure Zone: An area (physical or logical) protected by physical and logical controls that appropriately protect the confidentiality, integrity, and availability of Certificate Systems.

High Security Zone: A physical location where a CA’s or Delegated Third Party’s Private Key or cryptographic hardware is located.

When I say “inconsistent” I’m referring to the fact that “secure zone” describes a requirement that certificate systems need to be physically and logically protected. Whereas, “High Security Zone” is the location of cryptographic hardware and doesn’t include requirements about protecting it.

One path would be to change the definitions. However, instead we’ve elected to go the route of eliminating those terms and defining inline the expectations with more specific language everywhere those terms are used. So the intent with this change is not to change requirements, but to make it clear what each statement is trying to accomplish.

I’ll use 1.c as a different example. “Maintain Root CA Systems in a High Security Zone and in an offline state or air‐gapped from all other networks;”

Given that a “High Security Zone” is actually just a location where the cryptographic hardware is located this requirement could be rewritten without modifying the requirements to say “Maintain Root CA Systems in a physical location where a CA’s or Delegated Third Party’s Private Key or cryptographic hardware is located and in an offline state or air‐gapped from all other networks;”

I don’t think that’s the intent of 1.c. I think the intent of 1.c is to say that Root CA systems should be in a physically secured environment and in an offline state or air‐gapped from all other networks.

So for Ben’s question regarding 1.e we are trying to determine if the language changes the requirements and if it does what is missing.

The consensus in the NetSec meeting was that the intent of 1.e is to specify that there should be a boundary between. Certificate Systems and non‐Certificate Systems that prohibits or limits communications as applicable per system type. That offline certificate systems, online certificate systems, and non-certificate systems shouldn’t be able transmit data between the boundaries in an unauthorized/unintended manner. However, we wanted to verify if this is the generally accepted interpretation or if there is something we are missing.

I think if you read that language as changing the requirements that’s a good sign something is missing. The question is what is missing that was in there when the zones were included that isn’t now?


From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Servercert-wg
Sent: Tuesday, September 14, 2021 14:07
To: Ben Wilson <bwilson at mozilla.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: RE: [EXTERNAL] [Servercert-wg] "Zones" Language in the NetSec Requirements

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

Hi Ben,

Can you share the risk analysis the NetSec Subcommitee is using to inform this suggestion? I feel like we've gone in circles on this point, and run the risk of continuing to do so, but it seems that we can best make progress here by having a better understanding, and seeing if there is consensus in, "these are the things that we're worried about preventing, and these are the things prevented that we think should be allowed"

The change of definition in such a core concept obviously has profound security impact - potentially hugely positively, or potentially hugely negative. I'm assuming that such an analysis has already been done, and was hoping you could share that result.

On Tue, Sep 14, 2021 at 4:55 PM Ben Wilson via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

Today in the NetSec subgroup we discussed use of the term "zone" in the NCSSRs. Previous efforts on this topic have included an abandoned Ballot SC32 (see e.g. https://lists.cabforum.org/pipermail/servercert-wg/2020-June/002033.html), and other drafts in which we have explored the differentiation between logical security and physical security.

The NetSec subgroup is again working on the "zones" language and efforts to delineate the two concepts (logical and physical), but first we want to see where we might have disagreement, gaps in understanding, or lack of clarity on the issues and concerns. Thus, the NetSec subgroup is considering proposing the following as a replacement to section 1.e of the NCSSRs -

"Implement and configure Security Support Systems that protect communications between Certificate Systems and non‐Certificate Systems (i.e. public networks and organizational business units that do not provide PKI‐related services);"

For additional reference, the definition of “Security Support System” would be slightly amended to read, “A system used to provide physical or logical security support functions, which MAY include authentication, network boundary control, audit logging, audit log reduction and analysis, vulnerability scanning, and intrusion detection (physical intrusion detection, Host‐based intrusion detection, or Network‐based intrusion detection).”
And, for comparison, the current language in section 1.e is, "Implement and configure Security Support Systems that protect systems and communications between systems inside Secure Zones and High Security Zones, and communications with non‐Certificate Systems outside those zones (including those with organizational business units that do not provide PKI‐related services) and those on public networks;".

With your input, we can move forward with looking at other places in the NCSSRs where logical and physical security are not distinguished and where the term "zone" is used.

Thanks in advance.


Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210915/ecc41393/attachment-0001.html>

More information about the Servercert-wg mailing list