[cabf_netsec] Threat model approach for "Root CA System"

Dimitris Zacharopoulos jimmy at it.auth.gr
Fri Sep 22 07:12:00 MST 2017 

Dear NetSec WG members,

In yesterday's WG meeting, we introduced the idea of approaching the 
"Root CA System" in a "threat model" way and see how that turns out. The 
justification behind trying this approach is that the current Network 
Security Requirements include some very specific security requirements 
and controls but don't actually describe what are the threats they try 
to prevent from happening or which vulnerabilities they try to mitigate. 
Also, defining a reasonable "security perimeter" for a "Root CA System" 
is a challenge and each CA might see it in a number of ways. Knowing 
what we want to protect against can help CAs better define this 
"security perimeter".

If we list specific threats and vulnerabilities, even obvious ones, then 
we can try to map the current NSR controls to these risks and see if 
they do a reasonable job in 2017. If they don't, we will try improving 
or replacing existing controls or even add new ones so that the "Root CA 
System" is "reasonably" protected. As we all know, there is no 100% 
security but "reasonably" for a Root CA System should be pretty close to 
that! We'll also try to talk about what threats we will
explicitly not try to defend against!

As a note from yesterday's meeting, this threat-model approach might end 
up with different requirements to what CAs are currently being audited 
against. This shouldn't work as a deterrent for improving the security 
of these systems and once this process matures, there will be adequate 
time for CAs to adapt to the updated security requirements.

If anyone is interested in working with such an approach, please join 
me, Neil Dunbar (TrustCor) and Tom Ritter (Mozilla) by sending me a 
private e-mail. We will work independently and present our work to the 
NetSec WG so the same IPR policy applies.

If this approach improves the Network Security Requirements update 
process, we might expand it to other concepts of the Network Security 
Requirements like the "Certificate Issuing System", maybe introduce a 
separate "Registration and enrollment System", we'll see.


Best regards,
Dimitris.

More information about the Netsec mailing list