<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-text-html" lang="x-unicode">
<div dir="ltr">
<div dir="ltr">This begins the discussion period for Ballot
SC20v2: Configuration Management</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Purpose of Ballot:<br>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Two sections of the current NSRs contain
requirements for configuration management. Section 1(h)
demands a weekly review and Section 3(a) a process to monitor,
detect and report on security-related configuration changes.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">There was consensus in the discussions of the
Network Security Subgroup that unauthorized or unintentional
configuration changes can introduce high security risks but
the current wording allows CAs to comply with s1(h) without
noticing such a change for several days. Whether the weekly
human reviews have to be performed every 7 days or just once
per week is a matter of interpretation but for the discussion
of our proposal this is immaterial. The change we are
proposing seeks to encourage CAs to rely on continuous
monitoring rather than human reviews because alerts created by
a continuous monitoring solution can notify a CA by orders of
magnitude earlier than a human review i.e. within minutes not
within days.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">More detailed discussions and considerations can
be found in this document, maintained by the NetSec Subgroup:
<a
href="https://docs.google.com/document/d/1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo">https://docs.google.com/document/d/1yyadZ1Ts3bbR0ujAB1ZOcIrzP9q4Un7dPzl3HD9QuCo</a></div>
<div dir="ltr"><br>
The following motion has been proposed by Neil Dunbar of
TrustCor and endorsed by Tobias Josefowitz of OPERA and Dustin
Hollenback of Microsoft. The original version of this ballot
was produced by Ben Wilson of Digicert.<br>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">--- MOTION BEGINS ---</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">This ballot modifies the “Network and Certificate
System Security Requirements” based on Version 1.3. A redline
against the CA/B Forum repository is found here: <br>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">
<p dir="ltr"
style="line-height:1.38;margin-top:0pt;margin-bottom:10pt;"><a
href="https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:108e555?diff=split"
style="text-decoration:none;">https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:108e555?diff=split</a></p>
</div>
<div dir="ltr">(Each CA or Delegated Third Party SHALL)<br>
(...)</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Insert as new Section 1(h):</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Ensure that the CA’s security policies encompass
a Change Management Process, following the principles of
documentation, approval and testing, and to ensure that all
changes to Certificate Systems, Issuing Systems, Certificate
Management Systems, Security Support Systems, and Front-End /
Internal-Support Systems follow said Change Management
Process;</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Remove from Section 3(a):<br>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Implement a Security Support System under the
control of CA or Delegated Third Party Trusted Roles that
monitors, detects, and reports any security-related
configuration change to Certificate Systems;</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Insert as new Section 3(a):</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Implement a System under the control of CA or
Delegated Third Party that continuously monitors, detects, and
alerts personnel to any configuration change to Certificate
Systems, Issuing Systems, Certificate Management Systems,
Security Support Systems, and Front-End / Internal-Support
Systems unless the change has been authorized through a change
management process. The CA or Delegated Third Party shall
respond to the alert and initiate a plan of action within at
most twenty-four (24) hours.</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">--- MOTION ENDS ---<br>
</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">This ballot proposes a Final Maintenance
Guideline.<br>
<br>
The procedure for approval of this ballot is as follows:<br>
<br>
Discussion (7+ days)<br>
<br>
Start Time: 28-January 2020 00:00 UTC<br>
<br>
End Time: No earlier than 03-February 2020 00:00 UTC<br>
<br>
Vote for approval (7 days)<br>
<br>
Start Time: TBD<br>
<br>
End Time: TBD
</div>
</div>
</div>
</body>
</html>