[cabf_netsec] Ballot: Security Requirements for Offline CAs

Ben Wilson bwilson at mozilla.com
Sun Jul 19 14:24:55 MST 2020 

If we could get a few endorsers, then we could get a Ballot # assigned.

On Mon, Jul 13, 2020 at 9:49 AM Ben Wilson <bwilson at mozilla.com> wrote:

> All,
> Here is the draft ballot for security requirements for Offline CAs.
> Please review and let everyone know whether you're willing to sponsor
> and/or endorse.
> Thanks,
> Ben
>
> Ballot SC XX: Security Requirements for Offline CA Systems
>
> Purpose of the Ballot:
>
> Offline CA systems operate differently than online systems and have a
> different risk profile. While including Offline CA systems, the current
> Network and Certificate System Security Requirements focus on online
> systems and contain a number of requirements that are not practical to
> implement in an offline environment and could increase the risk to an
> offline environment.
>
> As an example, access to offline systems frequently elevates the risk to
> the environment. A quarterly vulnerability scan in the offline environment
> is not practical, because there is an increased risk involved with
> attaching a scanning device to an Offline CA system.
>
> This ballot develops a working definition for an “Offline CA System” to
> allow for a clear delineation between those system components that fall
> under the “Offline” requirements and those under all other requirements.
> While this ballot introduces a new section 5, this ballot only makes minor
> changes to the current requirements by replacing some online requirements
> with physical security requirements for offline CAs. The new section 5
> presents logical security requirements in subsections a through m and
> physical security requirements in subsections p through w. Otherwise, this
> ballot does not add any new requirements. This will create a separate set
> of requirements that apply only to Offline CA Systems.
>
> These proposed subsections in a new section 5 come from the current NCSSRs
> as follows:
>
>
> Description
>
> Offline
>
> Criteria #
>
> General
>
> Criteria #
>
> Logical Security
>
>
> Configuration review
>
> 5a
>
> 1h
>
> Appointing individuals to trusted roles
>
> 5b
>
> 2a
>
> Grant access to offline CAs
>
> 5c
>
> 1i
>
> Document responsibilities of Trusted roles
>
> 5d
>
> 2b
>
> Segregation of duties
>
> 5e
>
> 2d
>
> Require least privileged access for Trusted Roles
>
> 5f
>
> 2e
>
> All access tracked to individual account
>
> 5g
>
> 2f
>
> Password requirements
>
> 5h
>
> 2gi
>
> Review logical access
>
> 5i
>
> 2j
>
> Implement multi-factor access
>
> 5j
>
> 2m
>
> Monitor offline CA systems
>
> 5k
>
> 3b
>
> Review logging integrity
>
> 5l
>
> 3e
>
> Monitor archive and retention of logs
>
> 5m
>
> 3f
>
> Physical Security
>
>
> Grant physical access
>
> 5p
>
> 1i
>
> Multi-person physical access
>
> 5q
>
> 1j
>
> Review physical access
>
> 5r
>
> 2j
>
> Video monitoring
>
> 5s
>
> 3a
>
> Physical access monitoring
>
> 5t
>
> 3a
>
> Review accounts with physical access
>
> 5u
>
> 2j
>
> Monitor retention of physical access of records
>
> 5v
>
> 3f
>
> Review integrity of physical access logs
>
> 5w
>
> 3e
>
> This motion is made by _______ of _______ and endorsed by ________ of
> _________ and ________ of _________.
>
>
> --- Motion Begins ---
>
> That the CA/Browser Forum Server Certificate Working Group adopt the
> following requirements as amendments to the Network and Certificate System
> Security Requirements:
>
>
> https://github.com/BenWilson-Mozilla/documents/commit/99ea75f4ad19c58a7f9eb2829e63fb1678a838fa
>
>
> Definitions:
>
> ** Offline CA System:** A system that is air-gapped and separated from
> other systems used by a CA or Delegated Third Party in storing and managing
> CA private keys and performing signing and logging operations.
>
> Requirements:
>
> # 5. GENERAL PROTECTIONS FOR OFFLINE CA SYSTEMS
>
> This Section 5 separates requirements for Offline CA Systems into two
> categories--logical security and physical security.
>
> Logical Security of Offline CA Systems
>
> Certification Authorities and Delegated Third Parties SHALL implement the
> following controls to ensure the logical security of Offline CA Systems:
>
> a.      Review static configurations of Offline CA Systems at least on an
> annual basis to determine whether any changes violated the CA’s security
> policies;
>
> b.      Follow a documented procedure for appointing individuals to
> Trusted Roles on Offline CA Systems;
>
> c.      Grant logical access to Offline CA Systems only to persons acting
> in Trusted Roles and require their accountability for the Offline CA
> System’s security;
>
>
>
> d.      Document the responsibilities and tasks assigned to Trusted Roles
> and implement “separation of duties” for such Trusted Roles based on the
> security-related concerns of the functions to be performed;
>
>
>
> e.      Ensure that an individual in a Trusted Role acts only within the
> scope of such role when performing administrative tasks assigned to that
> role;
>
>
>
> f.      Require employees and contractors to observe the principle of
> “least privilege” when accessing, or when configuring access privileges on,
> Offline CA Systems;
>
>
>
> g.      Require that all access to systems and offline key material can
> be traced back to an individual in a Trusted Role (through a combination of
> recordkeeping, use of logical and physical credentials, authentication
> factors, video recording, etc.);
>
>
>
> h.      If an authentication control used by a Trusted Role is a username
> and password, then, where technically feasible require that passwords have
> at least twelve (12) characters;
>
> i.      Review logical access control lists at least annually and
> deactivate any accounts that are no longer necessary for operations;
>
> j.      Enforce Multi-Factor Authentication OR multi-party authentication
> for administrator access to Offline CA Systems;
>
> k.      Identify those Offline CA Systems capable of monitoring and
> logging system activity and enable those systems to continuously monitor
> and log system activity. Back up logs to an external system each time the
> system is used or on a quarterly basis, whichever is less frequent;
>
> l. On a quarterly basis or each time the Offline CA System is used,
> whichever is less frequent, check the integrity of the logical access
> logging processes and ensure that logging and log-integrity functions are
> effective;
>
>
>
> m. On a quarterly basis or each time the Offline CA System is used,
> whichever is less frequent, monitor the archival and retention of logical
> access logs to ensure that logs are retained for the appropriate amount of
> time in accordance with the disclosed business practices and applicable
> legislation.
>
> n. & o. reserved for future use
>
> Physical Security of Offline CA Systems
>
> Certification Authorities and Delegated Third Parties SHALL implement the
> following controls to ensure the physical security of Offline CA Systems:
>
> p.      Grant physical access to Offline CA Systems only to persons
> acting in Trusted Roles and require their accountability for the Offline CA
> System’s security;
>
> q.      Ensure that only personnel assigned to Trusted Roles have
> physical access to Offline CA Systems and multi-person access controls are
> enforced at all times;
>
> r.      Implement a process that removes physical access of an individual
> to all Offline CA Systems within twenty four (24) hours upon termination of
> the individual’s employment or contracting relationship with the CA or
> Delegated Third Party;
>
> s.      Implement video monitoring, intrusion detection, and prevention
> controls to protect Offline CA Systems against unauthorized physical access
> attempts;
>
> t.      Implement a Security Support System that monitors, detects, and
> reports any security-related configuration change to the physical access to
> Offline CA Systems;
>
> u.      Review all system accounts on physical access control lists at
> least every three (3) months and deactivate any accounts that are no longer
> necessary for operations;
>
> v. On a quarterly basis or each time the Offline CA System is used,
> whichever is less frequent, monitor the archival and retention of the
> physical access logs to ensure that logs are retained for the appropriate
> amount of time in accordance with the disclosed business practices and
> applicable legislation.
>
> w. On a quarterly basis or each time the Offline CA System is used,
> whichever is less frequent, check the integrity of the physical access
> logging processes and ensure that logging and log-integrity functions are
> effective.
>
>
> --- Motion Ends ---
>
> Discussion Period -
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200719/bb19174b/attachment-0001.html>

More information about the Netsec mailing list