<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jul 7, 2017, at 6:47 AM, Tom Ritter <<a href="mailto:tom@ritter.vg" class="">tom@ritter.vg</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">On 7 July 2017 at 04:26, Dimitris Zacharopoulos via Netsec<br class=""><<a href="mailto:netsec@cabforum.org" class="">netsec@cabforum.org</a>> wrote:<br class=""><blockquote type="cite" class="">On 6/7/2017 7:36 μμ, Peter Bowen via Netsec wrote:<br class="">So, to better understand the suggestion, for 2(m) we would need either<br class="">"multi-factor authentication by a single person" OR "single-factor<br class="">authentication by multiple persons". Is that right?<br class=""></blockquote><br class="">Or multi-factor by multiple persons? I don't know pedantic auditors can be :)<br class=""><br class=""><br class=""><br class="">Question: What doc are you all working off? (I pull up<br class=""><a href="https://cabforum.org/network-security/" class="">https://cabforum.org/network-security/</a> which numbers things<br class="">numerically, not with letters.)<br class=""></div></div></blockquote><div><br class=""></div><a href="https://cabforum.org/wp-content/uploads/Network_Security_Controls_V1.pdf" class="">https://cabforum.org/wp-content/uploads/Network_Security_Controls_V1.pdf</a> is the PDF version which uses letters.<br class=""><br class=""><blockquote type="cite" class=""><div class=""><div class=""><br class="">I am also skeptical of issuing a blanket "Does not apply to roots".<br class=""><br class="">1d - I don't understand why this is a problem, since an offline root<br class="">is stored in (as you said) "a high security zone". This ought to fit<br class="">the definition of "Secure Zone" no?<br class=""><br class="">1g, 1h - I agree these could be reworked to accommodate offline<br class="">devices. Could change to "Configure **network-connected** Issuing<br class="">Systems…”?<br class=""></div></div></blockquote><div><br class=""></div>This seems like a reasonable change.<br class=""><br class=""><blockquote type="cite" class=""><div class=""><div class="">2m - Agree I would prefer to keep this requirement even for<br class="">non-network connected devices, but we should have it to multi-factor<br class="">and/or multi-party.<br class=""></div></div></blockquote><div><br class=""></div><div>Sounds good to me.</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">2o - I agree this shouldn't apply, and have no concerns about adding a<br class="">clarifying "network-connected”<br class=""></div></div></blockquote><br class="">Also seems reasonable, but I’m still not sure how one would have remote access to a non-network connected device.<br class=""><br class=""><blockquote type="cite" class=""><div class=""><div class="">-tom<br class=""></div></div></blockquote></div><br class=""></body></html>