Discussion Period Begins | Ballot NS-004: Vulnerability Management
Miguel Sanchez
Ballot NS-004 is proposed by David Kluge of Google Trust Services and endorsed by Clint Wilson of Apple and Trevoli Ponds-White of Amazon.
Purpose of the Ballot
Section 4 of the Network and Certificate System Security Requirements (NCSSRs) requires CAs to perform a number of vulnerability management practices focusing on patching, vulnerability scans and penetration tests. This Ballot replaces Section 4 with a more comprehensive vulnerability management approach that is not limited to these practices.
Reasons for the Proposal
Vulnerability scans and penetration tests are useful controls but are insufficient if they are not embedded in a broader set of policies and procedures to address CA specific risks.
Also, the CA’s vulnerability management processes should not be limited to critical vulnerabilities. CAs should address all vulnerabilities within defined timelines which are proportionate to the risk they pose. These remediation timelines should be disclosed in the CA’s CPS. All systems in the CA’s inventory of Certificate Systems should be in scope of the CA’s vulnerability management processes.
Similarly, CAs should define after which system changes they perform non-periodic penetration tests. This definition can vary from CA to CA. As a guideline, we assume that a penetration test is necessary if the change alters the data flow between certificate systems or if it introduces new service integrations.
Relation to Ballot NS-003
Ballot NS-004 is proposed to take effect at the same date as NS-003. It includes minor revisions to clarify some of the system definitions of Ballot NS-003.
--- Motion Begins ---
This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.
MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/compare/7707907628ccebe6818fb6793d1c8a3aa38cf70d...08614bac38923cd099b23013661327378570fee3
When approved, this Ballot takes effect at the same time as "NS-003: Restructure the NCSSRs" or on 11/13/2024 whichever is earlier.
--- Motion Ends ---
Discussion (7+ days)
Start Time: September 10th, 2024 18:00 UTC
End Time: on or after September 17th, 2024 18:00 UTC
Vote for approval (7 days)
Start Time: TBD
End Time: TBD
J.C. Jones
"When approved, this Ballot takes effect on 11/13/2024."
J.C.
Tim Hollebeek
Are these effective dates in the ballot text itself?
Having effective dates in ballot motion text without having the exact details of how the effective date works in the requirements themselves is a practice we rightly abandoned about a decade ago.
-Tim
--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/c9189bd9-c209-47bf-b13f-836d199193a0n%40groups.cabforum.org.
Martijn Katerbarg
Tim,
I believe this is covered by this existing text in the NSRs:
“Prior to 2024-11-12, the CA SHALL adhere to these Requirements or Version 1.7 of the Network and Certificate System Security Requirements. Effective 2024-11-12, the CA SHALL adhere to these Requirements.”
Since this ballot does not remove that text, that allowance stands, effectively creating the effective date for this change.
Regards,
Martijn
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/SN7PR14MB6492B2109448A02E50C2E8F5839B2%40SN7PR14MB6492.namprd14.prod.outlook.com.
Bruce Morton
I don’t think that it is reasonable to have the effective date for NS-004, the same as NS-003, since I assume that the CAs will need time to implement the change.
I think that there should be a period of time, say 6 months, where the CAs can use the methods in the current NetSec Requirements, before it is expected that the changes in NS-004 need to be applied.
Bruce.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/SA1PR17MB65039CBF4FC13CEE857FB3E8E39B2%40SA1PR17MB6503.namprd17.prod.outlook.com.
Clint Wilson
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/DS0PR11MB7851A09764507D8DC19003ED82642%40DS0PR11MB7851.namprd11.prod.outlook.com.
Bruce Morton
Hi Clint,
No, I don’t have specific data.
My concern is the ballot could be approved no sooner than 24 September and not effective until after IPR which is no sooner than 24 October. 12 November is only 19 days later.
From the CA perspective, we already have practices, controls, evidence, etc. which we are using in our current audit period. It takes time to change the practices, update documents, etc. A longer period will also allow for migration. It may also allow CAs to start using the new methods in their next audit period. Note some CAs audit period ends at the end of the calendar year, so November changes can be an issue.
From an audit perspective, the audit criteria will not be updated in this period.
Based on the reason for the ballot and the time to prepare the ballot, it does not appear to be an urgent ballot. As such, I think that the early effective date is not reasonable, but a longer time to allow for the change and migration would be reasonable.
I would propose an effective date no earlier than 15 April 2025.
Thanks, Bruce.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/B05CE632-1FA9-4673-9B5F-338423D9488F%40apple.com.
Tim Hollebeek
Ok, that’s fine, I didn’t realize we were using “you can comply with this or you can comply with that” language, which I actually tend to like more than trying to write one version of the text that attempts to express both.
Bruce’s point that this is an unusually short deadline stands, though.
-Tim
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/SA1PR17MB65039CBF4FC13CEE857FB3E8E39B2%40SA1PR17MB6503.namprd17.prod.outlook.com.
Dustin Hollenback
Hello all,
While I have been following along with previous discussions for this ballot and agree with the changes, I also agree that these are still changes, otherwise we wouldn’t be introducing them, and should have a future effective date. I included some suggestions below that may make this easier.
Can anyone see any harm if we follow a similar process used in NS-003 that allows the new language to be available immediately, but also sets a future date where previous versions will no longer be allowed?
The below proposed changes:
- move the effective date back to a consistent section that was used in NS-003
- consolidate the effective date for all changes in the ballot to the same effective date
- allow for a future effective date to avoid possibilities of the changes in text causing changes in interpretations of the requirements
- allow for the new language to be effective and allowed sooner, but allows for previous document versions to be used until a future date.
Proposed ballot changes related to effective dates
In the Requirements section, update the text:
- Current language:
- "Prior to 2024-11-12, the CA SHALL adhere to these Requirements or Version 1.7 of the Network and Certificate System Security Requirements. Effective 2024-11-12, the CA SHALL adhere to these Requirements."
- Proposed language:
- "Prior to 2024‐11‐13, the CA SHALL adhere to these Requirements, Version 2.0, or Version 1.7 of the Network and Certificate System Security Requirements. Effective 2025‐04‐22, the CA SHALL adhere to these Requirements."
In the 4.4 Vulnerability Management Timeframe section, update the text:
- Current language:
- "Effective April 22, 2025, the CA MUST document in Section 6.7 of their Certificate Policy and/or Certification Practices Statement each timeframe established for responding to and remediating vulnerabilities."
- Proposed language:
- "The CA MUST document in Section 6.7 of their Certificate Policy and/or Certification Practices Statement each timeframe established for responding to and remediating vulnerabilities."
Thank you,
Dustin
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/DS0PR11MB7851B2A491890EDB4518062982642%40DS0PR11MB7851.namprd11.prod.outlook.com.
Tim Hollebeek
Not only do I agree with this approach, I think we should see if we can adapt it into something we continue to do in the future for changes to this document.
-Tim
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CD1PPF3143E78FC41F8A643802F8A83BA91F9632%40CD1PPF3143E78FC.namprd00.prod.outlook.com.
Miguel Sanchez
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/SN7PR14MB649220384A4E3C77A0B68C1683632%40SN7PR14MB6492.namprd14.prod.outlook.com.
--
You received this message because you are subscribed to the Google Groups "PKI Digest" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pki-digest+...@google.com.
To view this discussion on the web visit https://groups.google.com/a/google.com/d/msgid/pki-digest/SN7PR14MB649220384A4E3C77A0B68C1683632%40SN7PR14MB6492.namprd14.prod.outlook.com.
Backman, Antti
Hi,
I do support this change giving good clarity and consistency over the subsequent changes.
//Antti
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVo1-WRxFQ7kShKktvDU6gGE-wfrfXaAdG8CRe24tu8M9g%40mail.gmail.com.
Miguel Sanchez
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/MM0P280MB000748AB7C61BC8903E6632B866C2%40MM0P280MB0007.SWEP280.PROD.OUTLOOK.COM.
Mads Egil Henriksveen
Hi
I suggest the language to be ‘the CA SHALL adhere to these Requirements or Version 2.x of the Network and Certificate System Security Requirements’.
The effective version of NSR at 2025-04-22 will be version 2.0 “or higher” (ref NS-005).
Regards
Mads
.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVr_ZSNpzzuDXj710_tvrp3cdUXEVMWuvtC%2B4JFtF%2BM56g%40mail.gmail.com.
Miguel Sanchez
Ballot NS-004 is proposed by David Kluge of Google Trust Services and endorsed by Clint Wilson of Apple and Trevoli Ponds-White of Amazon.
Purpose of the Ballot
Section 4 of the Network and Certificate System Security Requirements (NCSSRs) requires CAs to perform a number of vulnerability management practices focusing on patching, vulnerability scans and penetration tests. This Ballot replaces Section 4 with a more comprehensive vulnerability management approach that is not limited to these practices.
Reasons for the Proposal
Vulnerability scans and penetration tests are useful controls but are insufficient if they are not embedded in a broader set of policies and procedures to address CA specific risks.
Also, the CA’s vulnerability management processes should not be limited to critical vulnerabilities. CAs should address all vulnerabilities within defined timelines which are proportionate to the risk they pose. These remediation timelines should be disclosed in the CA’s CPS. All systems in the CA’s inventory of Certificate Systems should be in scope of the CA’s vulnerability management processes.
Similarly, CAs should define after which system changes they perform non-periodic penetration tests. This definition can vary from CA to CA. As a guideline, we assume that a penetration test is necessary if the change alters the data flow between certificate systems or if it introduces new service integrations.
Relation to Ballot NS-003
Ballot NS-004 is proposed to take effect at the same date as NS-003. It includes minor revisions to clarify some of the system definitions of Ballot NS-003.
--- Motion Begins ---
This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.
MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/compare/main...miguelantonios:netsec:patch-1?expand=1
When approved, this Ballot takes effect at the same time as "NS-003: Restructure the NCSSRs" or on 11/13/2024 whichever is earlier.
--- Motion Ends ---
Discussion (7+ days)
Start Time: September 24th, 2024 16:08 UTC
End Time: October 3rd, 2024 18:33 UTC
Vote for approval (7 days)
Start Time: October 3rd, 2024 18:35 UTC
End Time: October 10th, 2024 18:35 UTC
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/SVAP279MB012678E5FA966BA3CCB3B9D4E7772%40SVAP279MB0126.NORP279.PROD.OUTLOOK.COM.
Corey Bonnell
Hello,
It appears that the authoritative text of the ballot does not contain an immutable link to the Github redline. This is needed to ensure that the text of the ballot does not change during or at any point after the discussion period.
Thanks,
Corey
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVoWuC%3DMG_JjivUzJ-RTys8P2HcBBTi8S-jmwRLhoqkr7Q%40mail.gmail.com.
Clint Wilson
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/DS0PR14MB62168344F3329FA8C731510C92712%40DS0PR14MB6216.namprd14.prod.outlook.com.