[netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

[Miguel Sanchez]

We are starting the voting period for Ballot NS-004 again after the most recent discussion period (ref: https://groups.google.com/a/groups.cabforum.org/g/netsec/c/k4T0UfTRBDI/m/rLqQmek-AQAJ?utm_medium=email&utm_source=footer). 

Ballot NS-004 is proposed by David Kluge of Google Trust Services and endorsed by Clint Wilson of Apple and Trevoli Ponds-White of Amazon.

Purpose of the Ballot

Section 4 of the Network and Certificate System Security Requirements (NCSSRs) requires CAs to perform a number of vulnerability management practices focusing on patching, vulnerability scans and penetration tests. This Ballot replaces Section 4 with a more comprehensive vulnerability management approach that is not limited to these practices.

Reasons for the Proposal

Vulnerability scans and penetration tests are useful controls but are insufficient if they are not embedded in a broader set of policies and procedures to address CA specific risks.

Also, the CA’s vulnerability management processes should not be limited to critical vulnerabilities. CAs should address all vulnerabilities within defined timelines which are proportionate to the risk they pose. These remediation timelines should be disclosed in the CA’s CPS. All systems in the CA’s inventory of Certificate Systems should be in scope of the CA’s vulnerability management processes. 

Similarly, CAs should define after which system changes they perform non-periodic penetration tests. This definition can vary from CA to CA. As a guideline, we assume that a penetration test is necessary if the change alters the data flow between certificate systems or if it introduces new service integrations.

Relation to Ballot NS-003

Ballot NS-004 includes minor revisions to clarify some of the system definitions of Ballot NS-003.

--- Motion Begins ---

This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.

MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/pull/34/files#diff-ed3f4facad5588c9445170bb7796257d35d52c6c38793bfeab126370b7022ec8

When approved, this Ballot takes effect on the IPR completion date.

--- Motion Ends ---

Discussion (7 days)

Start Time: October 16th, 2024 15:30 UTC

End Time: October 31rd, 2024 15:30 UTC

Vote for approval (7 days)

Start Time: Nov 4th, 2024 19:45 UTC

End Time: Nov 11th, 2024 19:45 UTC

[Ponds-White, Trev]

Amazon Trust Services votes yes

 

From: 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Monday, November 4, 2024 11:38
To: CA/B NetSec WG (CA/B Forum) <net...@groups.cabforum.org>
Subject: [EXTERNAL] [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

 

--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVpwa4i1pVE-QZP8YeR7s0JEXoVPTi3w1eM%2BNC%3Dcpj2hJg%40mail.gmail.com.

[Bruce Morton]

Probably not a question in the voting period, but the introduction to the discussion period stated “Restarting the discussion period for Ballot NS-004. The only change from the previous version is to the effective date which now states: "The CA SHALL adhere to these Requirements on or before 2025-04-29".”

 

I don’t see this in the ballot which states “Prior to 2025-03-12, the CA SHALL adhere to these Requirements or Version 1.7 of the Network and Certificate System Security Requirements. Effective 2025-03-12, the CA SHALL adhere to these Requirements.”

 

Am I reading this wrong or was there a reason this was not implemented?

 

 

Thanks, Bruce.

 

From: 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Monday, November 4, 2024 2:38 PM
To: CA/B NetSec WG (CA/B Forum) <net...@groups.cabforum.org>
Subject: [EXTERNAL] [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

 

We are starting the voting period for Ballot NS-004 again after the most recent discussion period (ref: https: //groups. google. com/a/groups. cabforum. org/g/netsec/c/k4T0UfTRBDI/m/rLqQmek-AQAJ?utm_medium=email&utm_source=footer). Ballot NS-004

--

You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVpwa4i1pVE-QZP8YeR7s0JEXoVPTi3w1eM%2BNC%3Dcpj2hJg%40mail.gmail.com.

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

[Miguel Sanchez]

Hi Bruce,

Thanks for the question. I believe the discussion you're referring to was the previous one that I initiated on October 16th that included the language you referenced. The most recent discussion period was initiated by Cade Cairns on October 24th and does not include the 2025-04-29 date but instead references the 2025-03-12 date in the Github redline as that is the date that was agreed upon by the broader NetSec Working Group. 

Let me know if you have any other questions. 

Thanks,

Miguel 

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/DS0PR11MB7851400DCF9D8404BDD2B29382512%40DS0PR11MB7851.namprd11.prod.outlook.com.

[Bruce Morton]

Entrust votes Yes to ballot NC-004.

 

 

Bruce.

 

From: 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Monday, November 4, 2024 2:38 PM
To: CA/B NetSec WG (CA/B Forum) <net...@groups.cabforum.org>
Subject: [EXTERNAL] [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

 

We are starting the voting period for Ballot NS-004 again after the most recent discussion period (ref: https: //groups. google. com/a/groups. cabforum. org/g/netsec/c/k4T0UfTRBDI/m/rLqQmek-AQAJ?utm_medium=email&utm_source=footer). Ballot NS-004

We are starting the voting period for Ballot NS-004 again after the most recent discussion period (ref: https://groups.google.com/a/groups.cabforum.org/g/netsec/c/k4T0UfTRBDI/m/rLqQmek-AQAJ?utm_medium=email&utm_source=footer). 

--

You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVpwa4i1pVE-QZP8YeR7s0JEXoVPTi3w1eM%2BNC%3Dcpj2hJg%40mail.gmail.com.

[Pedro FUENTES]

OISTE votes Yes to NS-004

--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVpwa4i1pVE-QZP8YeR7s0JEXoVPTi3w1eM%2BNC%3Dcpj2hJg%40mail.gmail.com.

WISeKey SA

Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790

Address: Avenue Louis-Casaï 58 | 1216 Cointrin | Switzerland

Stay connected with WISeKey

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

[蔡家宏(chtsai)]

TWCA votes Yes on Ballot NS-004.

 

From: 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>

Sent: Tuesday, November 5, 2024 3:38 AM
To: CA/B NetSec WG (CA/B Forum) <net...@groups.cabforum.org>

--

[Clint Wilson]

Apple votes YES on Ballot NS-004.

A Commit to Commit comparison identical (I believe) to the below redline is also available here: https://github.com/cabforum/netsec/compare/6bc30f7170d7d0adefe4bfdb85dd52455fe3fc96...cf7110068e9df71bcc939fc3c07c91b61348cab2

[Daniel Jeffery]

Fastly votes YES on Ballot NS-004.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/9830C769-9F97-4B0C-9345-19786BF73B68%40apple.com.

--

Daniel Jeffery | TLS

fastly.com | @fastly | LinkedIn

[Ben Wilson]

Mozilla votes "Yes" for Ballot NS-004.

--

[Dimitris Zacharopoulos (HARICA)]

HARICA votes "yes" to ballot NS-004.

Please note that the effective date of 2024-03-15 pushes the WG to work fast in order to address issues and concerns we discussed at the last F2F, like the level of accounts to be described in the Trusted Roles (we discussed about changing "authorized access" to something like "privileged access"), and also the removal of "Security Support System" term from the "CA Infrastructure" definition.

Members should become more active, review the language introduced in NS-003 with the amendments of NS-005 and this ballot NS-004, and ensure there are no unexpected surprises.

Dimitris.

--

[Scott Rea]

eMudhra votes YES on NS-004

 

From: 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Date: Monday, 4 November 2024 at 12:38 PM
To: CA/B NetSec WG (CA/B Forum) <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content is safe.

 

--

You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVpwa4i1pVE-QZP8YeR7s0JEXoVPTi3w1eM%2BNC%3Dcpj2hJg%40mail.gmail.com.

Disclaimer: The email and its contents hold confidential information and are intended for the person or entity to which it is addressed. If you are not the intended recipient, please note that any distribution or copying of this email is strictly prohibited as per Company Policy, you are requested to notify the sender and delete the email and associated attachments with it from your system.

[sde...@godaddy.com]

GoDaddy votes YES on Ballot NS-004

 

Cheers,

Steven

 

From: 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Date: Monday, November 4, 2024 at 2:38 PM
To: CA/B NetSec WG (CA/B Forum) <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

Caution: This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. Forward suspicious emails to isitbad@.

 

--

[Ryan Dickson]

Google votes YES on Ballot NS-004.

To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CH2PR02MB677436CC03704F426A310921BF5C2%40CH2PR02MB6774.namprd02.prod.outlook.com.

[Backman, Antti]

Hi,

Telia votes ’Yes’ on ballot NS-004.

 

//Antti

 

From: 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Date: Monday, 4. November 2024 at 21.38
To: CA/B NetSec WG (CA/B Forum) <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

--

[Rollin.Yu]

TrustAsia votes YES on Ballot NS-004.

Best regards,
Rollin Yu

[Jozef Nigut]

Disig votes "Yes" for Ballot NS-004.

 

Regards,

Jozef

 

From: 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Monday, November 4, 2024 8:38 PM
To: CA/B NetSec WG (CA/B Forum) <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

 

We are starting the voting period for Ballot NS-004 again after the most recent discussion period (ref: https://groups.google.com/a/groups.cabforum.org/g/netsec/c/k4T0UfTRBDI/m/rLqQmek-AQAJ?utm_medium=email&utm_source=footer). 

--

[Michael Guenther]

[Andrea Holland]

VikingCloud votes Yes on NS-004.

 

Regards,

Andrea Holland

 

 

From: 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Monday, November 4, 2024 2:38 PM
To: CA/B NetSec WG (CA/B Forum) <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

 

Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

--

You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVpwa4i1pVE-QZP8YeR7s0JEXoVPTi3w1eM%2BNC%3Dcpj2hJg%40mail.gmail.com.

Company Registration Details
VikingCloud is the registered business name of Sysxnet Limited. Sysxnet Limited is registered in Ireland under company registration number 147176 and its registered office is at 1st Floor, Block 71a, The Plaza, Park West Business Park, Dublin 12, Ireland.

Email Disclaimer
The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Sysxnet Limited is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt..

[Mads Egil Henriksveen]

Buypass votes YES on Ballot NS-004.

 

Regards

Mads

 

From: 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: mandag 4. november 2024 20:38
To: CA/B NetSec WG (CA/B Forum) <net...@groups.cabforum.org>
Subject: [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

 

We are starting the voting period for Ballot NS-004 again after the most recent discussion period (ref: https://groups.google.com/a/groups.cabforum.org/g/netsec/c/k4T0UfTRBDI/m/rLqQmek-AQAJ?utm_medium=email&utm_source=footer). 

--