[cabf_netsec] FW: Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements
Moudrick M. Dadashov
md at ssc.lt
Wed Aug 2 16:08:05 MST 2017
Why is "A*_n offline_* system used to create a Root Certificate" is so
important here?
The same question goes for "...to generate thePrivate Key associated
with a Root Certificate"?
Thanks,
M.D.
On 8/3/2017 1:47 AM, Kirk Hall via Netsec wrote:
>
> WG members – Pat Milot of Entrust wants to suggest the following
> definition changes to the NetSec Requirements shown below. He is
> joining the WG, along with Rick Agarwala, but Pat can’t be on the next
> call.
>
> Can you add to the list of suggestions for change? Thanks.
>
> Kirk
>
> *From:* Patrick Milot
> *Sent:* Wednesday, August 2, 2017 6:54 AM
> *Subject:* RE: Pre-Ballot 210 - Misc. Changes to the Network and
> Certificate System Security Requirements
>
> Hi Kirk,
>
> I was thinking about this some more last night and can we suggest more
> changes. I would like to make the Root CA and Issuing CA definition
> crystal clear that the NetSec rules for Root CA Systems apply only to
> Roots that are maintained offline. Likewise, the NetSec rules that
> apply to Issuing Systems will only apply to roots that are used to
> sign end entity certs or validity status information. See suggestions.
>
> *Root CA System: *A*_n offline_* system used to create a Root
> Certificate or to generate, store, or sign with thePrivate Key
> associated with a Root Certificate. *_Root CA System is a unique
> category of system and is not considered to be an Issuing System or
> part of an _**_Issuing System_**_._*
>
> *Issuing System: *A system used to sign*_end entity_* certificates or
> validity status information.
>
> The goal would be to address current ridiculous requirements for
> offline roots under the NetSec requirements. The end result of these
> changes would be that if it is clear that Root CA is its own unique
> category of systems, then the only requirement from the NetSec that
> would apply to Roots would be for them to be air gapped and offline.
>
> For example, this requirement:
>
> **
>
> Review configurations of Issuing Systems, Certificate Management
> Systems, SecuritySupport Systems, and Front‐End / Internal‐Support
> Systems on at least a weekly basis todetermine whether any changes
> violated the CA’s security policies;
>
> … would then NOT apply to offline roots – having to audit an offline
> system that is powered off and is on isolated networks every week
> makes no sense.
>
> I’m providing this wording as an example to the Net Sec WG, but feel
> free to suggest something else.
>
> Pat
>
>
>
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170803/ed8c6924/attachment-0001.html>
More information about the Netsec
mailing list