[cabf_netsec] Ballot: Security Requirements for Offline CAs
Ben Wilson
bwilson at mozilla.com
Mon Jul 13 08:49:37 MST 2020
All,
Here is the draft ballot for security requirements for Offline CAs. Please
review and let everyone know whether you're willing to sponsor and/or
endorse.
Thanks,
Ben
Ballot SC XX: Security Requirements for Offline CA Systems
Purpose of the Ballot:
Offline CA systems operate differently than online systems and have a
different risk profile. While including Offline CA systems, the current
Network and Certificate System Security Requirements focus on online
systems and contain a number of requirements that are not practical to
implement in an offline environment and could increase the risk to an
offline environment.
As an example, access to offline systems frequently elevates the risk to
the environment. A quarterly vulnerability scan in the offline environment
is not practical, because there is an increased risk involved with
attaching a scanning device to an Offline CA system.
This ballot develops a working definition for an “Offline CA System” to
allow for a clear delineation between those system components that fall
under the “Offline” requirements and those under all other requirements.
While this ballot introduces a new section 5, this ballot only makes minor
changes to the current requirements by replacing some online requirements
with physical security requirements for offline CAs. The new section 5
presents logical security requirements in subsections a through m and
physical security requirements in subsections p through w. Otherwise, this
ballot does not add any new requirements. This will create a separate set
of requirements that apply only to Offline CA Systems.
These proposed subsections in a new section 5 come from the current NCSSRs
as follows:
Description
Offline
Criteria #
General
Criteria #
Logical Security
Configuration review
5a
1h
Appointing individuals to trusted roles
5b
2a
Grant access to offline CAs
5c
1i
Document responsibilities of Trusted roles
5d
2b
Segregation of duties
5e
2d
Require least privileged access for Trusted Roles
5f
2e
All access tracked to individual account
5g
2f
Password requirements
5h
2gi
Review logical access
5i
2j
Implement multi-factor access
5j
2m
Monitor offline CA systems
5k
3b
Review logging integrity
5l
3e
Monitor archive and retention of logs
5m
3f
Physical Security
Grant physical access
5p
1i
Multi-person physical access
5q
1j
Review physical access
5r
2j
Video monitoring
5s
3a
Physical access monitoring
5t
3a
Review accounts with physical access
5u
2j
Monitor retention of physical access of records
5v
3f
Review integrity of physical access logs
5w
3e
This motion is made by _______ of _______ and endorsed by ________ of
_________ and ________ of _________.
--- Motion Begins ---
That the CA/Browser Forum Server Certificate Working Group adopt the
following requirements as amendments to the Network and Certificate System
Security Requirements:
https://github.com/BenWilson-Mozilla/documents/commit/99ea75f4ad19c58a7f9eb2829e63fb1678a838fa
Definitions:
** Offline CA System:** A system that is air-gapped and separated from
other systems used by a CA or Delegated Third Party in storing and managing
CA private keys and performing signing and logging operations.
Requirements:
# 5. GENERAL PROTECTIONS FOR OFFLINE CA SYSTEMS
This Section 5 separates requirements for Offline CA Systems into two
categories--logical security and physical security.
Logical Security of Offline CA Systems
Certification Authorities and Delegated Third Parties SHALL implement the
following controls to ensure the logical security of Offline CA Systems:
a. Review static configurations of Offline CA Systems at least on an
annual basis to determine whether any changes violated the CA’s security
policies;
b. Follow a documented procedure for appointing individuals to Trusted
Roles on Offline CA Systems;
c. Grant logical access to Offline CA Systems only to persons acting
in Trusted Roles and require their accountability for the Offline CA
System’s security;
d. Document the responsibilities and tasks assigned to Trusted Roles
and implement “separation of duties” for such Trusted Roles based on the
security-related concerns of the functions to be performed;
e. Ensure that an individual in a Trusted Role acts only within the
scope of such role when performing administrative tasks assigned to that
role;
f. Require employees and contractors to observe the principle of
“least privilege” when accessing, or when configuring access privileges on,
Offline CA Systems;
g. Require that all access to systems and offline key material can be
traced back to an individual in a Trusted Role (through a combination of
recordkeeping, use of logical and physical credentials, authentication
factors, video recording, etc.);
h. If an authentication control used by a Trusted Role is a username
and password, then, where technically feasible require that passwords have
at least twelve (12) characters;
i. Review logical access control lists at least annually and
deactivate any accounts that are no longer necessary for operations;
j. Enforce Multi-Factor Authentication OR multi-party authentication
for administrator access to Offline CA Systems;
k. Identify those Offline CA Systems capable of monitoring and logging
system activity and enable those systems to continuously monitor and log
system activity. Back up logs to an external system each time the system is
used or on a quarterly basis, whichever is less frequent;
l. On a quarterly basis or each time the Offline CA System is used,
whichever is less frequent, check the integrity of the logical access
logging processes and ensure that logging and log-integrity functions are
effective;
m. On a quarterly basis or each time the Offline CA System is used,
whichever is less frequent, monitor the archival and retention of logical
access logs to ensure that logs are retained for the appropriate amount of
time in accordance with the disclosed business practices and applicable
legislation.
n. & o. reserved for future use
Physical Security of Offline CA Systems
Certification Authorities and Delegated Third Parties SHALL implement the
following controls to ensure the physical security of Offline CA Systems:
p. Grant physical access to Offline CA Systems only to persons acting
in Trusted Roles and require their accountability for the Offline CA
System’s security;
q. Ensure that only personnel assigned to Trusted Roles have physical
access to Offline CA Systems and multi-person access controls are enforced
at all times;
r. Implement a process that removes physical access of an individual
to all Offline CA Systems within twenty four (24) hours upon termination of
the individual’s employment or contracting relationship with the CA or
Delegated Third Party;
s. Implement video monitoring, intrusion detection, and prevention
controls to protect Offline CA Systems against unauthorized physical access
attempts;
t. Implement a Security Support System that monitors, detects, and
reports any security-related configuration change to the physical access to
Offline CA Systems;
u. Review all system accounts on physical access control lists at
least every three (3) months and deactivate any accounts that are no longer
necessary for operations;
v. On a quarterly basis or each time the Offline CA System is used,
whichever is less frequent, monitor the archival and retention of the
physical access logs to ensure that logs are retained for the appropriate
amount of time in accordance with the disclosed business practices and
applicable legislation.
w. On a quarterly basis or each time the Offline CA System is used,
whichever is less frequent, check the integrity of the physical access
logging processes and ensure that logging and log-integrity functions are
effective.
--- Motion Ends ---
Discussion Period -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200713/b81bab99/attachment-0001.html>
More information about the Netsec
mailing list