NS-004 change to definition of "Certificate Systems"
51 views
Skip to first unread message
Tobias S. Josefowitz
Jul 2, 2024, 6:57:31 AM7/2/24
to net...@groups.cabforum.org
Hi Clint & all,
In the Cloud services call last week we sort of stumbled over the change
to the definition of "Certificate Systems" introduced by NS-003. In
particular, the discussion centered around the removal of "and other
PKI-related services", and instead giving a list.
In this discussion, I was concerned that the new definition of
"Certificate System" gives a list that might be interpreted as a closed
list (which I indeed assume it is supposed to be), while the transitive
effects of the "A system used by a CA or Delegated Third Party to access,
process, or manage data or provide services related to [list]" might be
overlooked when it comes to such things as e.g. virtualization
environments the first level Certificate Systems run in.
Now, a week later, I no longer necessarily see this change as any more
prone to being interpreted as not covering virtualization environments and
other, higher-order Certificate Systems. Yet, I am concerned that with
both the old and the new definition, this might be frequently
misinterpeted in this regard.
To ascertain if my concerns are unfounded and we are all aligned on the
meaning anyway, I would like to confirm that the "provide services related
to" is indeed supposed to cover such higher-order systems, e.g.
virtualizatin environments.
Tobi
In the Cloud services call last week we sort of stumbled over the change
to the definition of "Certificate Systems" introduced by NS-003. In
particular, the discussion centered around the removal of "and other
PKI-related services", and instead giving a list.
In this discussion, I was concerned that the new definition of
"Certificate System" gives a list that might be interpreted as a closed
list (which I indeed assume it is supposed to be), while the transitive
effects of the "A system used by a CA or Delegated Third Party to access,
process, or manage data or provide services related to [list]" might be
overlooked when it comes to such things as e.g. virtualization
environments the first level Certificate Systems run in.
Now, a week later, I no longer necessarily see this change as any more
prone to being interpreted as not covering virtualization environments and
other, higher-order Certificate Systems. Yet, I am concerned that with
both the old and the new definition, this might be frequently
misinterpeted in this regard.
To ascertain if my concerns are unfounded and we are all aligned on the
meaning anyway, I would like to confirm that the "provide services related
to" is indeed supposed to cover such higher-order systems, e.g.
virtualizatin environments.
Tobi
Clint Wilson
Jul 2, 2024, 10:48:13 AM7/2/24
to net...@groups.cabforum.org
Hi Tobi,
This is slightly updated from the language in the current version 2 of the NCSSRs:
The current draft of NS-004 is at https://github.com/cabforum/netsec/pull/34/files and has the following as a definition for “Certificate Systems”:
A system used by a CA or Delegated Third Party to access, process, or manage data or provide services related to:* certificate application;* certificate validation;* certificate approval;* signing;* certificate revocation;* serving authoritative certificate status information; or* key escrow.
I agree that any concerns with the proposed definition would also apply to the current definition, regarding extensibility to higher-order systems like virtualization environments.A system used by a CA or Delegated Third Party to access, process, or manage data or provide services related to:
- identity validation;
- identity authentication;
- account registration;
- certificate application;
- certificate approval;
- certificate issuance;
- certificate revocation;
- authoritative certificate status; or
- key escrow.
However, I think both definitions would cover such higher-order systems. As a concrete example, a virtualization environment within which is running a system for validation data to be collected, associated with Certificate Requests, and stored seems to clearly provide services related to certificate validation.
Cheers,
-Clint
--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion on the web visit https://flagged.apple.com:443/proxy?t2=Dn3a8H1SH1&o=aHR0cHM6Ly9ncm91cHMuZ29vZ2xlLmNvbS9hL2dyb3Vwcy5jYWJmb3J1bS5vcmcvZC9tc2dpZC9uZXRzZWMvYmZiZDIxZTAtN2EwNi0xMGE3LTk0MzYtNDcxMDYxNzllMjIzJTQwb3BlcmEuY29t&emid=f09a586c-0fe9-4170-918b-67ae59c9e221&c=11.
Reply all
Reply to author
Forward
0 new messages