[Servercert-wg] Ballot SC20v2: Configuration Management

Tue Jan 28 09:04:20 MST 2020

This begins the discussion period for Ballot SC20v2: Configuration 
Management

Purpose of Ballot:

Two sections of the current NSRs contain requirements for configuration 
management. Section 1(h) demands a weekly review and Section 3(a) a 
process to monitor, detect and report on security-related configuration 
changes.

There was consensus in the discussions of the Network Security Subgroup 
that unauthorized or unintentional configuration changes can introduce 
high security risks but the current wording allows CAs to comply with 
s1(h) without noticing such a change for several days. Whether the 
weekly human reviews have to be performed every 7 days or just once per 
week is a matter of interpretation but for the discussion of our 
proposal this is immaterial. The change we are proposing seeks to 
encourage CAs to rely on continuous monitoring rather than human reviews 
because alerts created by a continuous monitoring solution can notify a 
CA by orders of magnitude earlier than a human review i.e. within 
minutes not within days.

More detailed discussions and considerations can be found in this 
document, maintained by the NetSec Subgroup: 
https://docs.google.com/document/d/1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo

The following motion has been proposed by Neil Dunbar of TrustCor and 
endorsed by Tobias Josefowitz of OPERA and Dustin Hollenback of 
Microsoft. The original version of this ballot was produced by Ben 
Wilson of Digicert.

--- MOTION BEGINS ---

This ballot modifies the “Network and Certificate System Security 
Requirements” based on Version 1.3. A redline against the CA/B Forum 
repository is found here:

https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:108e555?diff=split

(Each CA or Delegated Third Party SHALL)
(...)

Insert as new Section 1(h):

Ensure that the CA’s security policies encompass a Change Management 
Process, following the principles of documentation, approval and 
testing, and to ensure that all changes to Certificate Systems, Issuing 
Systems, Certificate Management Systems, Security Support Systems, and 
Front-End / Internal-Support Systems follow said Change Management Process;

Remove from Section 3(a):

Implement a Security Support System under the control of CA or Delegated 
Third Party Trusted Roles that monitors, detects, and reports any 
security-related configuration change to Certificate Systems;

Insert as new Section 3(a):

Implement a System under the control of CA or Delegated Third Party that 
continuously monitors, detects, and alerts personnel to any 
configuration change to Certificate Systems, Issuing Systems, 
Certificate Management Systems, Security Support Systems, and Front-End 
/ Internal-Support Systems unless the change has been authorized through 
a change management process.  The CA or Delegated Third Party  shall 
respond to the alert and initiate a plan of action within at most 
twenty-four (24) hours.

--- MOTION ENDS ---

This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 28-January 2020 00:00 UTC

End Time: No earlier than 03-February 2020 00:00 UTC

Vote for approval (7 days)

Start Time: TBD

End Time: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200128/c6ff578b/attachment.html>