<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jul 6, 2017, at 6:41 AM, Bruce Morton via Netsec <<a href="mailto:netsec@cabforum.org" class="">netsec@cabforum.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" class="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)" class="">
<style class=""><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div lang="EN-US" link="#0563C1" vlink="#954F72" class="">
<div class="WordSection1"><p class="MsoNormal">There is an issue where the offline roots are considered part of the certificate management system. This leads to requirements which may conflict with the main offline root requirement which states “Maintain Root CA Systems in a High Security
Zone and in an offline state or air-gapped from all other networks.”<o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p><p class="MsoNormal">There are four requirements (1d, 1g, 1h and 1o) for Certificate Management System which do no need to apply to roots, since the roots are off-line in a high security zone. To remove the issue, we can change the Certificate Management System
definition.<o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p><p class="MsoNormal">Change from: <b class="">Certificate Management System</b>: A system used by a CA or Delegated Third Party to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage.<o:p class=""></o:p></p><p class="MsoNormal"><o:p class=""> </o:p></p><p class="MsoNormal">Change to: <b class="">Certificate Management System</b>: A system used by a CA or Delegated Third Party to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage.
<span style="background:yellow;mso-highlight:yellow" class="">The CA Management System does not include the Root CA System</span>.</p><div class=""><br class=""></div></div></div></div></blockquote><br class=""></div><div>Bruce,</div><div><br class=""></div><div>Would it make more sense to clarify that a CA may have multiple separate Certificate Management Systems? It sounds like there is an assumption that all the equipment is a single “System”. I think the intent is that the CA defines which components (equipment or software) make up each System.</div><div><br class=""></div><div>Thanks,</div><div>Peter</div></body></html>