[cabf_netsec] [EXTERNAL]Re: Offline Roots
Neil Dunbar
ndunbar at trustcorsystems.com
Thu Jul 6 07:44:48 MST 2017
> On 6 Jul 2017, at 15:23, Bruce Morton <Bruce.Morton at entrustdatacard.com> wrote:
>
> Hi Neil,
>
> My search was wrong. I should have stated 1d, 1g, 1h, 2m and 2o
>
So, 2o is essentially inoperative. Perhaps a change like:
FROM: o. Restrict remote administration or access to an Issuing System, Certificate Management System, or Security Support System except when:
TO: o. Restrict remote administration or access *to network connected devices* to an Issuing System, Certificate Management System, or Security Support System except when:
(thus making it explicitly inoperative for non-networked systems).
> We had an issue with 2m where we were expected to have multi-factor authentication for an off-line root.
Is MFA for offline roots such a burden? I mean, password and USB connected fingerprint reader, or password and U2F device configured for HMAC-SHA1 challenge would work in an offline login. Doesn’t the actual HSM activation count as 2-factor (PIN plus key auth device)?
Where I’m going with all of this, since we’re in ‘low hanging fruit’ grabbing, is to ensure that the changes are as tight as possible, to avoid controversy while updating the existing NetSec doc.
Cheers,
Neil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170706/de9bab97/attachment-0001.html>
More information about the Netsec
mailing list