<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.line867, li.line867, div.line867
{mso-style-name:line867;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.line862, li.line862, div.line862
{mso-style-name:line862;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">In this section:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN">REPLACE 4.C. with "c. Undergo or perform a Vulnerability Scan (i) within one (1) week of
<span style="background:yellow;mso-highlight:yellow">receiving a request from the CA/Browser Forum</span>, (ii) after any system or network changes that the CA determines are significant, and (iii) at least every three (3) months, on public and private IP addresses
identified by the CA or Delegated Third Party as the CA’s or Delegated Third Party’s Certificate Systems;"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN">Who from the CA/B Forum is going to send out a request? What is the intent here?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN">Thanks,<br>
Dean</span><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Netsec [mailto:netsec-bounces@cabforum.org] <b>
On Behalf Of </b>Ben Wilson via Netsec<br>
<b>Sent:</b> Thursday, July 27, 2017 6:45 PM<br>
<b>To:</b> CA/Browser Forum Network Security WG List <netsec@cabforum.org><br>
<b>Subject:</b> [cabf_netsec] Pre-Ballot 210 - Misc. Changes to the Network and Certificate System Security Requirements<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Based on Dimitris’ recent updates to the document on GitHub (see
<a href="https://clicktime.symantec.com/a/1/BJLvQePfmgWuID-KinltS4qNITiZ3Dr5yU4Bo-3Q-X0=?d=XOXMz9x6m2CHM2fZydNOJbDkhl5FcW3tyWI2IqrxO-sWLrDy3pqjVLk4hq6hKMtZPV9MzsgG2qvJ75viwvZgS9c9_43aMjTQmjPNU5MDq_OVVyWPQ-UAyjH4oW-ZesqlkEj9iuQH654O5udG_fpc_n46U8wxWGJc2OfeC2qLU6wusY7GqIeO_NggUWlxO_8LqpA-EFB6UnqLzHHQLSIxNsyfdDoeKeKM19MuOoV5sxgEWeiR9xK9q4gK87wEj_ROvyiWPxp41jUIfeApY3uv0kyF2QFIzBaQ2WenyL5mKAwrMo969ToQcAV9SaCLeKQTPgTJesGCJHlQ1YTZaCL_6ihpbhVZA729Bn9xMg07wcxZIi9Jz4AShvBhLbrbRe7DswzRkotz0fnmq1FxC5hc1nz8qw8UZpdpcxuUcSH7YST1ZGZnmU_6bCAaRzQ4c9OVLWFJ1YVqYG4DdEL1WVeU9Y1GW7t9byGG8tLdVEI%3D&u=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fpull%2F64%2Ffiles">
https://github.com/cabforum/documents/pull/64/files</a> ), I’ve created a pre-ballot that the Working Group should be able to endorse. See <a href="https://clicktime.symantec.com/a/1/tJ3ZE6CXxfZESBwutKJ2UF4ePG9ibyTinj8DIQbpUDc=?d=XOXMz9x6m2CHM2fZydNOJbDkhl5FcW3tyWI2IqrxO-sWLrDy3pqjVLk4hq6hKMtZPV9MzsgG2qvJ75viwvZgS9c9_43aMjTQmjPNU5MDq_OVVyWPQ-UAyjH4oW-ZesqlkEj9iuQH654O5udG_fpc_n46U8wxWGJc2OfeC2qLU6wusY7GqIeO_NggUWlxO_8LqpA-EFB6UnqLzHHQLSIxNsyfdDoeKeKM19MuOoV5sxgEWeiR9xK9q4gK87wEj_ROvyiWPxp41jUIfeApY3uv0kyF2QFIzBaQ2WenyL5mKAwrMo969ToQcAV9SaCLeKQTPgTJesGCJHlQ1YTZaCL_6ihpbhVZA729Bn9xMg07wcxZIi9Jz4AShvBhLbrbRe7DswzRkotz0fnmq1FxC5hc1nz8qw8UZpdpcxuUcSH7YST1ZGZnmU_6bCAaRzQ4c9OVLWFJ1YVqYG4DdEL1WVeU9Y1GW7t9byGG8tLdVEI%3D&u=https%3A%2F%2Fcabforum.org%2Fwiki%2F210%2520-%2520Misc%2520Changes%2520to%2520NCSSR">https://cabforum.org/wiki/210%20-%20Misc%20Changes%20to%20NCSSR</a>
(pasted below). I don’t have the PDF ready yet, but I’ll circulate it later.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="line867"><strong><span style="font-family:"Calibri",sans-serif">Ballot 210 - Miscellaneous Changes to the Network and Certificate System Security Requirements</span></strong>
<o:p></o:p></p>
<p class="line874">The Network Security Working Group recommends that the Forum make the following minor revisions to the Network and Certificate System Security Requirements.
<o:p></o:p></p>
<p class="line874">--Motion Begins-- <o:p></o:p></p>
<p class="line874">In the Network and Certificate System Security Requirements. <o:p>
</o:p></p>
<p class="line862">ADD ETSI EN 319 411-1 to first sentence of the Scope and Applicability section so that it reads "These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities (CAs) and are
adopted with the intent that all such CAs and Delegated Third Parties be audited for conformity with these Requirements as soon as they have been incorporated as mandatory requirements (if not already mandatory requirements) in the root embedding program for
any major Internet browsing client and that they be incorporated into the <a href="https://clicktime.symantec.com/a/1/hWBP1rP6St7tnqZZZt5wckVdIqSzxkeyUT6pN00CbuI=?d=XOXMz9x6m2CHM2fZydNOJbDkhl5FcW3tyWI2IqrxO-sWLrDy3pqjVLk4hq6hKMtZPV9MzsgG2qvJ75viwvZgS9c9_43aMjTQmjPNU5MDq_OVVyWPQ-UAyjH4oW-ZesqlkEj9iuQH654O5udG_fpc_n46U8wxWGJc2OfeC2qLU6wusY7GqIeO_NggUWlxO_8LqpA-EFB6UnqLzHHQLSIxNsyfdDoeKeKM19MuOoV5sxgEWeiR9xK9q4gK87wEj_ROvyiWPxp41jUIfeApY3uv0kyF2QFIzBaQ2WenyL5mKAwrMo969ToQcAV9SaCLeKQTPgTJesGCJHlQ1YTZaCL_6ihpbhVZA729Bn9xMg07wcxZIi9Jz4AShvBhLbrbRe7DswzRkotz0fnmq1FxC5hc1nz8qw8UZpdpcxuUcSH7YST1ZGZnmU_6bCAaRzQ4c9OVLWFJ1YVqYG4DdEL1WVeU9Y1GW7t9byGG8tLdVEI%3D&u=https%3A%2F%2Fcabforum.org%2Fwiki%2FWebTrust">
WebTrust</a> Service Principles and Criteria for Certification Authorities, ETSI TS 101 456, ETSI TS 102 042 and ETSI EN 319 411-1 including revisions and implementations thereof, including any audit scheme that purports to determine conformity therewith."
<o:p></o:p></p>
<p class="line874">REPLACE section 1.a. with "a. Segment Certificate Systems into networks based on their functional or logical relationship, for example separate physical networks or VLANs;"
<o:p></o:p></p>
<p class="line874">REPLACE section 1.b. with "b. Apply equivalent security controls to all systems co-located in the same network with a Certificate System;"
<o:p></o:p></p>
<p class="line874">REPLACE "90 days" with "three (3) months" in section 2.g.ii. and 2.j so that they read "ii. For accounts that are accessible from outside a Secure Zone or High Security Zone, require that passwords have at least eight (8) characters, be changed
at least every three (3) months, use a combination of at least numeric and alphabetic characters, that are not a dictionary word or on a list of previously disclosed human-generated passwords, and not be one of the user's previous four (4) passwords; and implement
account lockout for failed access attempts in accordance with subsection k; OR" AND "j. Review all system accounts at least every three (3) months and deactivate any accounts that are no longer necessary for operations;"
<o:p></o:p></p>
<p class="line874">REPLACE section 2.m. with "m. Enforce multi-factor / multi-party authentication for administrator access to Issuing Systems and Certificate Management Systems;"
<o:p></o:p></p>
<p class="line874">REPLACE section 2.o. with "o. Restrict remote administration or access to an Issuing System, Certificate Management System, or Security Support System except when: (i) the remote connection originates from a device owned or controlled by
the CA or Delegated Third Party, (ii) the remote connection is through a temporary, non-persistent encrypted channel that is supported by multi-factor authentication, and (iii) the remote connection is made to a designated intermediary device (a) located within
the CA’s network, (b) secured in accordance with these Requirements, and (c) that mediates the remote connection to the Issuing System."
<o:p></o:p></p>
<p class="line874">REPLACE "every 30 days and" with "once a month to" in section 3.e. so that it reads "e. Conduct a human review of application and system logs at least once a month to validate the integrity of logging processes and ensure that monitoring,
logging, alerting, and log-integrity-verification functions are operating properly (the CA or Delegated Third Party MAY use an in-house or third-party audit log reduction and analysis tool); and"
<o:p></o:p></p>
<p class="line874">REPLACE 4.a. with "a. Implement intrusion detection and prevention controls under the control of CA or Delegated Third Party Trusted Roles to protect Certificate Systems against common network and system threats;"
<o:p></o:p></p>
<p class="line874">REPLACE 4.C. with "c. Undergo or perform a Vulnerability Scan (i) within one (1) week of receiving a request from the CA/Browser Forum, (ii) after any system or network changes that the CA determines are significant, and (iii) at least every
three (3) months, on public and private IP addresses identified by the CA or Delegated Third Party as the CA’s or Delegated Third Party’s Certificate Systems;"
<o:p></o:p></p>
<p class="line874">REPLACE the definition of Security Support System in the Definitions with "Security Support System: A system used to provide security support functions, which MAY include authentication, network boundary control, audit logging, audit log
reduction and analysis, vulnerability scanning, and intrusion detection (Host-based intrusion detection / Network-based intrusion detection)."
<o:p></o:p></p>
<p class="line862">Make other editorial changes as indicated at <a href="https://clicktime.symantec.com/a/1/BJLvQePfmgWuID-KinltS4qNITiZ3Dr5yU4Bo-3Q-X0=?d=XOXMz9x6m2CHM2fZydNOJbDkhl5FcW3tyWI2IqrxO-sWLrDy3pqjVLk4hq6hKMtZPV9MzsgG2qvJ75viwvZgS9c9_43aMjTQmjPNU5MDq_OVVyWPQ-UAyjH4oW-ZesqlkEj9iuQH654O5udG_fpc_n46U8wxWGJc2OfeC2qLU6wusY7GqIeO_NggUWlxO_8LqpA-EFB6UnqLzHHQLSIxNsyfdDoeKeKM19MuOoV5sxgEWeiR9xK9q4gK87wEj_ROvyiWPxp41jUIfeApY3uv0kyF2QFIzBaQ2WenyL5mKAwrMo969ToQcAV9SaCLeKQTPgTJesGCJHlQ1YTZaCL_6ihpbhVZA729Bn9xMg07wcxZIi9Jz4AShvBhLbrbRe7DswzRkotz0fnmq1FxC5hc1nz8qw8UZpdpcxuUcSH7YST1ZGZnmU_6bCAaRzQ4c9OVLWFJ1YVqYG4DdEL1WVeU9Y1GW7t9byGG8tLdVEI%3D&u=https%3A%2F%2Fgithub.com%2Fcabforum%2Fdocuments%2Fpull%2F64%2Ffiles">
https://github.com/cabforum/documents/pull/64/files</a> and in the attached PDF. <o:p>
</o:p></p>
<p class="line874">--Motion Ends-- <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:2.0pt"><b><span style="font-family:"Arial",sans-serif;color:#0174C3">Ben Wilson, JD, CISA, CISSP<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-bottom:2.0pt"><span style="font-family:"Arial",sans-serif;color:#686869">VP Compliance<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:2.0pt"><span style="font-family:"Arial",sans-serif;color:#686869">+1 801 701 9678<o:p></o:p></span></p>
<p class="MsoNormal"><img border="0" width="133" height="29" id="Picture_x0020_1" src="cid:image002.jpg@01D307BE.89904330"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>