[cabf_netsec] [EXTERNAL]Re: "Zones" Ballot Endorsers

Mon Jun 1 11:23:14 MST 2020

 Also, in working on this, I recalled that Daymion when he was at Google
had requested that we define the scope of the requirements.
Excerpted below:

Add below section to the “Scope and Applicability” to define scope of PKI
Trusted Environment and to read as follows:

The network security requirements apply to all system components included
in or connected to the publicly trusted certificate authority (CA)
environment. The CA environment is comprised of people, processes and
technologies that store, process, or transmit CA data. “System components”
include network devices, servers, hardware security modules (HSM),
computing devices, and applications residing within the CA environment.
Examples of system components include, but are not limited to the following:

a.    Systems that provide security services (for example, authentication
servers), facilitate segmentation (for example, internal firewalls), or may
impact the security of (for example, name resolution or web redirection
servers).

b.    Virtualization components such as virtual machines, virtual
switches/routers, virtual appliances, virtual applications/desktops, and
hypervisors.

c.    Network components including but not limited to firewalls, switches,
routers, network appliances, IPMI remote management cards, HSM and other
security appliances.

d.    Server types including but not limited to web, application, database,
authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name
System (DNS).

e.    Applications including all purchased and custom applications.

f.    Any other component or device located within the CA environment.

On Thu, May 28, 2020 at 1:01 PM Ben Wilson <bwilson at mozilla.com> wrote:

> I'll work on a re-draft, hopefully this afternoon, and re-circulate it.
>
> On Thu, May 28, 2020 at 12:53 PM Bruce Morton <
> Bruce.Morton at entrustdatacard.com> wrote:
>
>> I would assume that if we did not amend the BRs, then it would look like
>> the security requirements were being reduced. So yes, I think that the BRs
>> should be changed at the same time.
>>
>>
>>
>> Bruce.
>>
>>
>>
>> *From:* Ben Wilson <bwilson at mozilla.com>
>> *Sent:* Thursday, May 28, 2020 2:45 PM
>> *To:* Bruce Morton <Bruce.Morton at entrustdatacard.com>
>> *Cc:* Neil Dunbar <ndunbar at trustcorsystems.com>; CABF Network Security
>> List <netsec at cabforum.org>
>> *Subject:* Re: [EXTERNAL]Re: [cabf_netsec] "Zones" Ballot Endorsers
>>
>>
>>
>> I'm open to discussion on this.  Would we want to amend section 5.1 of
>> the BRs with the same ballot?
>>
>>
>>
>> On Thu, May 28, 2020 at 12:33 PM Bruce Morton <
>> Bruce.Morton at entrustdatacard.com> wrote:
>>
>> Hi Ben,
>>
>>
>>
>> Thanks for all the work on this ballot. I am wondering if we should try
>> to remove physical security and physical access requirements from the
>> NetSec document. Physical Security requirements could be put into BR 5.1 in
>> a section called Physical Security Controls.
>>
>>
>>
>> For instance, item 1.c. states “Maintain Root CA Systems in a Physically
>> Secure Environment and in an offline state or air-gapped from all other
>> networks.” This could be changed so that 1.c. states “Maintain Root CA
>> Systems in an offline state or air-gapped from all other networks” and BR
>> 5.1 could state “Maintain CA Systems in a physically secure environment.”
>>
>>
>>
>> It also seems that now that the old zone definitions have been combined
>> and now Physically Secure Environment now covers both physical and logical
>> environments. If we eliminate physical security, then we could just address
>> logical security which could be better applied to the NetSec document.
>>
>>
>>
>> In a future ballot, we might want to push some of the Trusted Role
>> requirements into BR 5.2.
>>
>>
>>
>> Thanks, Bruce.
>>
>>
>>
>> *From:* Netsec <netsec-bounces at cabforum.org> *On Behalf Of *Neil Dunbar
>> via Netsec
>> *Sent:* Tuesday, May 26, 2020 7:42 AM
>> *To:* netsec at cabforum.org
>> *Subject:* [EXTERNAL]Re: [cabf_netsec] "Zones" Ballot Endorsers
>>
>>
>>
>> *WARNING:* This email originated outside of Entrust Datacard.
>> *DO NOT CLICK* links or attachments unless you trust the sender and know
>> the content is safe.
>> ------------------------------
>>
>> I'm happy to endorse, Ben. Trev and David also said they would be good to
>> endorse the ballot.
>>
>> Neil
>>
>> On 13/05/2020 20:58, Ben Wilson via Netsec wrote:
>>
>> I can't remember whether there were people who volunteered to be
>> endorsers of the "Zones" ballot.
>>
>>
>>
>> See below:
>>
>>
>>
>> Ballot and Explanation -
>> https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit?usp=sharing
>>
>>
>>
>> Redlined version of NCSSRs -
>> https://drive.google.com/file/d/1n6LPNN0WJY9Cdw5qOl2-fFzQxBiZtw-q/view?usp=sharing
>>
>>
>>
>> _______________________________________________
>>
>> Netsec mailing list
>>
>> Netsec at cabforum.org
>>
>> http://cabforum.org/mailman/listinfo/netsec
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200601/882730aa/attachment.html>