<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:221599324;
mso-list-type:hybrid;
mso-list-template-ids:1279063864 -1764356096 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:DengXian;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:233973766;
mso-list-type:hybrid;
mso-list-template-ids:145023192 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Do we need the definition? I ask, because the CAs already have physical security/access requirements from WebTrust and ETSI without the definition.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">WebTrust for CA has the following requirements:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">3.4 Physical and Environmental Security<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The CA maintains controls to provide reasonable assurance that:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="mso-list:l1 level1 lfo1">physical access to CA facilities and equipment is limited to authorised individuals, protected through restricted security perimeters, and is operated under multiple person (at least dual custody)
control;<o:p></o:p></li><li class="MsoListParagraph" style="mso-list:l1 level1 lfo1">CA facilities and equipment are protected from environmental hazards;<o:p></o:p></li><li class="MsoListParagraph" style="mso-list:l1 level1 lfo1">loss, damage or compromise of assets and interruption to business activities are prevented; and<o:p></o:p></li><li class="MsoListParagraph" style="mso-list:l1 level1 lfo1">compromise of information and information processing facilities is prevented.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">EN 319 401 has the following requirements:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">7.6 Physical and environmental security
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">REQ-7.6-01: The TSP shall control physical access to components of the TSP's system whose security is critical to the provision of its trust services and minimize risks related to physical security.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">NOTE 1: See clause 11 of ISO/IEC 27002:2013 [i.3] for guidance.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">In particular:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">• REQ-7.6-02: Physical access to components of the TSP's system whose security is critical to the provision of its trust services shall be limited to authorized individuals.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">NOTE 2: Criticality is identified through risk assessment, or through application security requirements, as requiring a security protection.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">• REQ-7.6-03: Controls shall be implemented to avoid loss, damage or compromise of assets and interruption to business activities.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">• REQ-7.6-04: Controls shall be implemented to avoid compromise or theft of information and information processing facilities.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">• REQ-7.6-05: Components that are critical for the secure operation of the trust service shall be located in a protected security perimeter with physical protection against intrusion, controls on access through
the security perimeter and alarms to detect intrusion.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in">NOTE 3: See ISO/IEC 27002:2013 [i.3], clause 11.1 for guidance on secure areas.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Netsec <netsec-bounces@cabforum.org> <b>On Behalf Of
</b>Neil Dunbar via Netsec<br>
<b>Sent:</b> Friday, May 29, 2020 1:55 AM<br>
<b>To:</b> netsec@cabforum.org<br>
<b>Subject:</b> [EXTERNAL]Re: [cabf_netsec] Definition of "CA Equipment" for BR sec. 5.1<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><strong><span style="font-family:"Calibri",sans-serif;color:red">WARNING:</span></strong> This email originated outside of Entrust Datacard.<br>
<strong><span style="font-family:"Calibri",sans-serif;color:red">DO NOT CLICK</span></strong> links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p>How would we approach things like VMs/Containers run by a Cloud provider, but controlled day-to-day by the CA and used in the governance of their CA operations. For instance, a monitor service which is their to check on CRLs/OCSP performance, but for reasons
of broad spectrum testing, should _not_ be run inside the CA's normal network of hosts?<o:p></o:p></p>
<p>Or things like EC2/Linode/GCP hosts which are used to check CAA records? You could do it entirely within your network, of course, but then the spectre of BGP Hijacking comes in to haunt you. I would have thought that such hosts are 100% part of an intuitive
notion of "CA Equipment". It's certainly in the logical security controls of the CA, just outside of the physical security controls.<o:p></o:p></p>
<p>I wish I could come up with a better definition, Ben, but I'm stuck too right now.<o:p></o:p></p>
<p>Cheers,<o:p></o:p></p>
<p>Neil<o:p></o:p></p>
<div>
<p class="MsoNormal">On 29/05/2020 06:21, Ben Wilson via Netsec wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">As a follow up to discussions today regarding the "zones" ballot and putting physical security requirements into section 5.1 of the BRs, there was a comment to one of the drafts[1] about "CA Equipment", since that term is often used in
section 5.1. I doubt many CAs have defined the term in their CPs or CPSes. I'm also not sure whether it is defined in audit criteria.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Here is a first stab at defining the term:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Arial",sans-serif;color:black">CA equipment:
</span></b><span style="font-family:"Arial",sans-serif;color:black">servers (CA, database, CRL, OCSP, www, etc.), load balancers, firewalls, routers, network appliances, security appliances, and other hardware components used in the issuance and management
of certificates, but does not include hardware outside the physical security boundary of the CA’s _____ such as CDNs, etc.
</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thoughts or suggestions?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">[1] <a href="https://docs.google.com/document/d/1Zpae_ysYXc7mFLrRaIU5Z9AQ9WsuOHAPWvgTN2kTJ30/edit">
https://docs.google.com/document/d/1Zpae_ysYXc7mFLrRaIU5Z9AQ9WsuOHAPWvgTN2kTJ30/edit</a><br>
<br>
<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Netsec mailing list<o:p></o:p></pre>
<pre><a href="mailto:Netsec@cabforum.org">Netsec@cabforum.org</a><o:p></o:p></pre>
<pre><a href="http://cabforum.org/mailman/listinfo/netsec">http://cabforum.org/mailman/listinfo/netsec</a><o:p></o:p></pre>
</blockquote>
</div>
</body>
</html>