CA Infrastructure Scope update #44
Conversation
Following discussions in the NSWG, this is an example version of the NCSSRs which removes several of the "Systems" from the scope of CA Infrastructure (and the document in general). The changes are based on the assumed completion of IPR review for NS-004 and NS-006. Additionally, fixed some minor issues arising from NS-004 and NS-006: * Reversion of Workstation definition * Orphaned text in 1.2.2 * Markdown formatting in 2.2.1.2
| **Certificate Management System**: A system used by a CA or Delegated Third Party to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage. | ||
|
|
||
| **Certificate System**: A system used by a CA or Delegated Third Party to access, process, or manage data or provide services related to: | ||
| **Certificate System**: A system used by a CA or Delegated Third Party to access, process, or manage data or provide services related to performing: |
There was a problem hiding this comment.
to store, access, process, or manage data
There was a problem hiding this comment.
Cloud Services Subgroup Concern: Removal of Support Systems from Certificate Systems no longer encompasses those periphery systems in any kind of requirements for controls. How can we incorporate those requirements into this definition?
|
|
||
| These policies and procedures MUST apply to all Certificate Systems. | ||
|
|
||
| These policies and procedures SHOULD apply to Security Support Systems. |
There was a problem hiding this comment.
Security Support Systems has been removed as a defined term.
docs/NSR.md
Outdated
| @@ -219,7 +184,9 @@ CA Infrastructure MUST be in a Physically Secure Environment. | |||
|
|
|||
| ##### 1.2.2 | |||
|
|
|||
| Connections to and within the CA Infrastructure MUST be authenticated and encrypted except OCSP and CRL. | |||
| Connections to the CA Infrastructure MUST be authenticated and encrypted, except where documented that a formal specification prohibits or limits the use of authentication and/or encryption. | |||
There was a problem hiding this comment.
Maybe this should say ", except where a formal specification prohibits ..."? It seems that "where documented that" adds an unnecessary record-creating requirement and could be deleted without changing meaning. But I'm open to other suggestions/comments.
There was a problem hiding this comment.
For this objective, "CAs are able to clearly understand the minimum security requirements found in this document and successfully adapt/implement these Requirements to their own infrastructure and architecture" maybe add something like ", which requires a comprehensive inventory of their Certificate Systems to ensure that their infrastructure is adequately protected."
docs/NSR.md
Outdated
| @@ -82,21 +76,13 @@ The following are outcomes that this document seeks to achieve: | |||
| 5. certificate approval; | |||
| 6. certificate issuance; | |||
| 7. certificate revocation; | |||
| 8. authoritative certificate status; or | |||
| 8. generation and signing of authoritative certificate status; or | |||
| 9. key escrow. | |||
There was a problem hiding this comment.
Should this be "CA Key Escrow" as just "Key Escrow" is rather broad?
There was a problem hiding this comment.
It's intended to apply also to escrow of Subscriber keys, where allowed (such as with S/MIME Certificates), so I believe it's correct as-is. Where key escrow is not performed by a CA, then this becomes not applicable (therefore neither constraining nor expanding the requirements applied to the CA).
There was a problem hiding this comment.
Leaving some comments from Cloud Services Subgroup meeting today.
tl;dr: the concern that support security systems is removed and no longer requires controls on those systems. One possible solution is to hardcode those requirements and systems within their applicable sections (e.g. Access Management systems in section 2) similar to what's already done in 3.1.2.1 "The CA SHOULD ensure retained and/or archived audit logs are kept and managed in a manner sufficiently effective to prevent unapproved alteration or access."
| **Certificate Management System**: A system used by a CA or Delegated Third Party to process, approve issuance of, or store certificates or certificate status information, including the database, database server, and storage. | ||
|
|
||
| **Certificate System**: A system used by a CA or Delegated Third Party to access, process, or manage data or provide services related to: | ||
| **Certificate System**: A system used by a CA or Delegated Third Party to access, process, or manage data or provide services related to performing: |
There was a problem hiding this comment.
Cloud Services Subgroup Concern: Removal of Support Systems from Certificate Systems no longer encompasses those periphery systems in any kind of requirements for controls. How can we incorporate those requirements into this definition?
|
|
||
| These policies and procedures MUST apply to all Certificate Systems. | ||
|
|
||
| These policies and procedures SHOULD apply to Security Support Systems. |
docs/NSR.md
Outdated
|
|
||
| #### 4.1 Inventory of Certificate Systems | ||
|
|
||
| The CA MUST define an inventory of Certificate Systems. |
There was a problem hiding this comment.
CS group feedback: what if we move this up so that it pertains not just to vuln management, which I don't believe was the intention?
There was a problem hiding this comment.
CS group thoughts: What if we use something similar to what is in section 3.1.2.1 "The CA SHOULD ensure retained and/or archived audit logs are kept and managed in a manner sufficiently effective to prevent unapproved alteration or access." for all other relevant security support system sections (e.g. change management, vuln management, etc.) The benefit of this is that it would bring back the requirements to protect security support systems without blowing up the trusted roles bit (which was a concern in the past).
Vuln management example: "Vuln management systems would have to be configured/locked down in a way that prevents malicious attacks on Certificate Systems"
* Incorporated suggestions from several comments * Moved Requirements of 4.1 to 1 (and relabeled 4 as 4.1 so as to not renumber all of 4's subsections) * Attempted to address concerns with change in CA Infrastructure scope by: * re-adding (slightly modified) Security Support System definition * changing Trusted Role to apply to those with Certificate Systems or Root CA Systems access
Following discussions in the NSWG, this is an example version of the NCSSRs which removes several of the "Systems" from the scope of CA Infrastructure (and the document in general). The changes are based on the assumed completion of IPR review for NS-004 and NS-006.
As also touched upon in NSWG meeting on Nov 19, 2024, I slightly updated the Trusted Role definition to (hopefully) avoid its interpretation as including companies not involved in the operation of CA Infrastructure.
Additionally, fixed some minor issues arising from NS-004 and NS-006: