<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Cambria">Should we replace ETSI TSs with the ENs?<br>
<br>
Thanks,<br>
M.D.<br>
</font><br>
<div class="moz-cite-prefix">On 7/28/2017 1:45 AM, Ben Wilson via
Netsec wrote:<br>
</div>
<blockquote
cite="mid:9037823dd7e24ca29d58d54717a73467@EX2.corp.digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Based on Dimitris’ recent updates to the
document on GitHub (see <a moz-do-not-send="true"
href="https://github.com/cabforum/documents/pull/64/files">https://github.com/cabforum/documents/pull/64/files</a>
), I’ve created a pre-ballot that the Working Group should be
able to endorse. See <a moz-do-not-send="true"
href="https://cabforum.org/wiki/210%20-%20Misc%20Changes%20to%20NCSSR">https://cabforum.org/wiki/210%20-%20Misc%20Changes%20to%20NCSSR</a>
(pasted below). I don’t have the PDF ready yet, but I’ll
circulate it later.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="line867"><strong><span
style="font-family:"Calibri",sans-serif">Ballot
210 - Miscellaneous Changes to the Network and Certificate
System Security Requirements</span></strong> <o:p></o:p></p>
<p class="line874">The Network Security Working Group recommends
that the Forum make the following minor revisions to the
Network and Certificate System Security Requirements. <o:p></o:p></p>
<p class="line874">--Motion Begins-- <o:p></o:p></p>
<p class="line874">In the Network and Certificate System
Security Requirements. <o:p></o:p></p>
<p class="line862">ADD ETSI EN 319 411-1 to first sentence of
the Scope and Applicability section so that it reads "These
Network and Certificate System Security Requirements
(Requirements) apply to all publicly trusted Certification
Authorities (CAs) and are adopted with the intent that all
such CAs and Delegated Third Parties be audited for conformity
with these Requirements as soon as they have been incorporated
as mandatory requirements (if not already mandatory
requirements) in the root embedding program for any major
Internet browsing client and that they be incorporated into
the <a moz-do-not-send="true"
href="https://cabforum.org/wiki/WebTrust">WebTrust</a>
Service Principles and Criteria for Certification Authorities,
ETSI TS 101 456, ETSI TS 102 042 and ETSI EN 319 411-1
including revisions and implementations thereof, including any
audit scheme that purports to determine conformity therewith."
<o:p></o:p></p>
<p class="line874">REPLACE section 1.a. with "a. Segment
Certificate Systems into networks based on their functional or
logical relationship, for example separate physical networks
or VLANs;" <o:p></o:p></p>
<p class="line874">REPLACE section 1.b. with "b. Apply
equivalent security controls to all systems co-located in the
same network with a Certificate System;" <o:p></o:p></p>
<p class="line874">REPLACE "90 days" with "three (3) months" in
section 2.g.ii. and 2.j so that they read "ii. For accounts
that are accessible from outside a Secure Zone or High
Security Zone, require that passwords have at least eight (8)
characters, be changed at least every three (3) months, use a
combination of at least numeric and alphabetic characters,
that are not a dictionary word or on a list of previously
disclosed human-generated passwords, and not be one of the
user's previous four (4) passwords; and implement account
lockout for failed access attempts in accordance with
subsection k; OR" AND "j. Review all system accounts at
least every three (3) months and deactivate any accounts that
are no longer necessary for operations;" <o:p></o:p></p>
<p class="line874">REPLACE section 2.m. with "m. Enforce
multi-factor / multi-party authentication for administrator
access to Issuing Systems and Certificate Management Systems;"
<o:p></o:p></p>
<p class="line874">REPLACE section 2.o. with "o. Restrict remote
administration or access to an Issuing System, Certificate
Management System, or Security Support System except when: (i)
the remote connection originates from a device owned or
controlled by the CA or Delegated Third Party, (ii) the remote
connection is through a temporary, non-persistent encrypted
channel that is supported by multi-factor authentication, and
(iii) the remote connection is made to a designated
intermediary device (a) located within the CA’s network, (b)
secured in accordance with these Requirements, and (c) that
mediates the remote connection to the Issuing System." <o:p></o:p></p>
<p class="line874">REPLACE "every 30 days and" with "once a
month to" in section 3.e. so that it reads "e. Conduct a human
review of application and system logs at least once a month to
validate the integrity of logging processes and ensure that
monitoring, logging, alerting, and log-integrity-verification
functions are operating properly (the CA or Delegated Third
Party MAY use an in-house or third-party audit log reduction
and analysis tool); and" <o:p></o:p></p>
<p class="line874">REPLACE 4.a. with "a. Implement intrusion
detection and prevention controls under the control of CA or
Delegated Third Party Trusted Roles to protect Certificate
Systems against common network and system threats;" <o:p></o:p></p>
<p class="line874">REPLACE 4.C. with "c. Undergo or perform a
Vulnerability Scan (i) within one (1) week of receiving a
request from the CA/Browser Forum, (ii) after any system or
network changes that the CA determines are significant, and
(iii) at least every three (3) months, on public and private
IP addresses identified by the CA or Delegated Third Party as
the CA’s or Delegated Third Party’s Certificate Systems;" <o:p></o:p></p>
<p class="line874">REPLACE the definition of Security Support
System in the Definitions with "Security Support System: A
system used to provide security support functions, which MAY
include authentication, network boundary control, audit
logging, audit log reduction and analysis, vulnerability
scanning, and intrusion detection (Host-based intrusion
detection / Network-based intrusion detection)." <o:p></o:p></p>
<p class="line862">Make other editorial changes as indicated at
<a moz-do-not-send="true"
href="https://github.com/cabforum/documents/pull/64/files">https://github.com/cabforum/documents/pull/64/files</a>
and in the attached PDF. <o:p></o:p></p>
<p class="line874">--Motion Ends-- <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:2.0pt"><b><span
style="font-family:"Arial",sans-serif;color:#0174C3">Ben
Wilson, JD, CISA, CISSP<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-bottom:2.0pt"><span
style="font-family:"Arial",sans-serif;color:#686869">VP
Compliance<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:2.0pt"><span
style="font-family:"Arial",sans-serif;color:#686869">+1
801 701 9678<o:p></o:p></span></p>
<p class="MsoNormal"><img style="width:1.3875in;height:.3in"
id="Picture_x0020_1"
src="cid:part5.53462B32.51D1F37D@ssc.lt" height="29"
border="0" width="133"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Netsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Netsec@cabforum.org">Netsec@cabforum.org</a>
<a class="moz-txt-link-freetext" href="http://cabforum.org/mailman/listinfo/netsec">http://cabforum.org/mailman/listinfo/netsec</a>
</pre>
</blockquote>
<br>
</body>
</html>