[cabfpub] Ballot 170 - Amend Section 5.1 of Baseline Requirements

[Patrick Tronnier]

OATI votes Yes.

OATI agrees that the content of this ballot was outside the core expertise of most CABF members and that we do NOT want the BRs to be "a comprehensive list of all the things a CA must do in order to provide a secure and trustworthy service". However, we support efforts to make sure the BRs cover the minimum things a CA must do (and most likely are already doing) to ensure the secure "Issuance and Management of Publicly-Trusted Certificates" (where "Management" includes the items in this ballot).  Also, OATI agrees audits are expensive but as  the BRs become more robust/inclusive it is our hope there will be more reliance on the BR's and thus perhaps decrease the overall number of audits needed.

Thanks

With kind regards,

Patrick Tronnier
Principal Security Architect &
Sr. Director of Quality Assurance & Customer Support
Phone: 763.201.2000
Fax: 763.201.5333
Direct Line: 763.201.2052
Open Access Technology International, Inc.
3660 Technology Drive NE, Minneapolis, MN 55418

"Human action can be modified to some extent, but human nature cannot be changed." - Abraham Lincoln
[cid:image002.jpg at 01D1C722.3A06E180]Challenging the Limits of Energy
October 11-13, 2016 | The Cosmopolitan | Las Vegas
The 2016 OATI Energy Conference features prominent industry speakers, hands-on training, networking events, product demonstrations, private training, and NERC CE trainings. For more information or to register, please contact EnergyConference at oati.net<mailto:EnergyConference at oati.net>.

CONFIDENTIAL INFORMATION: This email and any attachment(s) contain confidential and/or proprietary information of Open Access Technology International, Inc. Do not copy or distribute without the prior written consent of OATI. If you are not a named recipient to the message, please notify the sender immediately and do not retain the message in any form, printed or electronic.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, June 02, 2016 4:04 PM
To: CABFPub <public at cabforum.org>
Subject: [cabfpub] Ballot 170 - Amend Section 5.1 of Baseline Requirements


Ballot 170 - Amend Section 5.1 of Baseline Requirements

The Policy Review Working Group has reviewed Section 5.1 of the Baseline Requirements and, as a result, suggests that certain changes be made. Therefore, the following motion has been proposed by Ben Wilson of DigiCert and endorsed by Robin Alden of Comodo and Li-Chun CHEN of Chunghwa Telecom:

-- MOTION BEGINS --

In Section 5.1.1 Site location and construction add:

The location and construction of the facilities housing the CA and RA equipment SHALL be consistent with facilities used to house high-value, sensitive information. The site location and construction, when combined with other physical security protection mechanisms such as guards, high security locks, and intrusion sensors, SHALL provide robust protection against unauthorized access to the CA equipment and records.

In Section 5.1.2 Physical access add:

CAs SHALL maintain controls to provide reasonable assurance that: physical access to CA facilities and equipment is limited to authorized individuals, protected through restricted security perimeters, and is operated under multiple person (at least dual custody) control; CA facilities and equipment are protected from environmental hazards; loss, damage or compromise of assets and interruption to business activities are prevented; and compromise of information and information processing facilities is prevented.

In Section 5.1.3 Power and air conditioning add:

The CA SHALL have backup power capability sufficient to lock out input, finish any pending actions, and record the state of the equipment automatically before lack of power or air conditioning causes a shutdown. The backup power capabilities SHALL support the availability requirements of Section 4.10.2.

In Section 5.1.4 Water exposures add:

CA equipment SHALL be installed such that it is not in danger of exposure to water (e.g., on tables or elevated floors). Potential water damage from fire prevention and protection measures (e.g., sprinkler systems) SHOULD be minimized.

In Section 5.1.5 Fire prevention and protection add:

The CA SHALL comply with local commercial building codes for fire prevention and protection.

In Section 5.1.6 Media storage add:

Media SHALL be stored so as to protect it from accidental damage (water, fire, electromagnetic) and unauthorized physical access. Media not required for daily operation or not required by policy to remain with the CA or RA that contains security audit, archive, or backup information SHALL be stored securely in a location separate from the CA or RA equipment.

Media containing private key material SHALL be handled, packaged, and stored in a manner compliant with the requirements for the sensitivity level of the information it protects or to which it provides access. Storage protection of CA and RA private key material SHALL be consistent with stipulations in Section 5.1.2.

In Section 5.1.7 Waste disposal add:

Sensitive media and documentation that are no longer needed for operations SHALL be destroyed in a secure manner. For example, sensitive paper documentation shall be shredded, burned, or otherwise rendered unrecoverable.

In Section 5.1.8 Off-site backup add:

The purpose of an off-site backup is to recover from system failure resulting from damage to the equipment or similar causes. For components of the Certificate System operated in an online fashion, any backup necessary to recover from system failure SHALL be made at least once per week or so that no changes made prior to the last week might be lost. Root CA Systems and other components operated in an offline fashion SHALL be backed up prior to taking them offline. Only the latest backup needs to be retained. The backup SHALL be stored at a separate site with physical and procedural controls sufficient to protect the confidentiality, integrity, and availability of the information backed up.

-- MOTION ENDS --

The review period for this ballot shall commence at 2200 UTC on 2 June 2016, and will close at 2200 UTC on 9 June 2016. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 16 June 2016. Votes must be cast by posting an on-list reply to this thread.

A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: https://cabforum.org/members/

In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently ten (10) members- at least ten members must participate in the ballot, either by voting in favor, voting against, or abstaining.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160615/3f32d0a2/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 63133 bytes
Desc: image001.jpg
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160615/3f32d0a2/attachment-0006.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 159 bytes
Desc: image003.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160615/3f32d0a2/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 5751 bytes
Desc: image002.jpg
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160615/3f32d0a2/attachment-0007.jpg>