Ballot to clarify some points of NS-003

33 views
Skip to first unread message

Daniel Jeffery

unread,
Sep 25, 2024, 7:20:46 PMSep 25
to net...@groups.cabforum.org
Hello All,

We've been working on prospective ballot NS-005 and are feeling like it's ready to open for discussion, but I need a second endorser to do that. I'll include the text of the ballot below for review/discussion. If you can get behind this, let me know you'd be willing to support and we can start the discussion period in earnest. 

NS-005: Clarifications to sections 1, 2 and a definition prior to NS-003 taking effect

Ballot NS-005 is proposed by Daniel Jeffery of Certainly and endorsed by Miguel Sanchez of Google Trust Services and TBD of TBD.

        Purpose of the Ballot

NS-005 is intended to address unintended, unclear or problematic expectations that were introduced or highlighted by the changes in NS-003. 

        Reasons for the Proposal

Changes made in NS-003 altered the application of certain aspects of the NSR, one reason being the move from use of the term Certificate Systems to CA Infrastructure. The reorganization also helped to clarify certain points that may have been less obvious previously. NS-005 has been discussed with the working group, in meetings and on github, to clarify points of confusion and over-specification of industry practices. This includes:

  • defining "Workstation" for the purposes of this document by privileges and capability
  • limiting scope to connections that must be unencrypted and that are within the CA's control
  • recognizing there may be a practical or technical need for shared accounts, but requiring attribution to an individual actor and the approved activity in such cases
  • requiring that workstations MUST be secured when inactive, consistent with the CA's risk assessment
  • bringing use of hardware tokens for general multi-factor authentication more in line with industry best practices
  • removing a limited set of requirements in favor of the NIST recommendations

       Relation to Ballot NS-003

Ballot NS-005 clarifies some of the language in NS-003 for reasons of practical implementation to help CAs meet the requirements of NS-003. Ideally, IPR review will complete in time that NS-005 can go into effect on or before 12 November 2024, the date when NS-003 fully takes effect.

       Relation to Ballot NS-004

Ballot NS-005 does not modify any of the text modified by NS-004. Both should be able to be merged complimentarily.

--- Motion Begins ---

This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.

MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/compare/7707907628ccebe6818fb6793d1c8a3aa38cf70d...danjeffery:netsec:d2fe57093427e512fea15a6e9d2d70c5586a1d58

When approved, this Ballot takes effect on the IPR review completion date. 

--- Motion Ends ---


--


Daniel Jeffery | TLS

Backman, Antti

unread,
Sep 26, 2024, 12:15:14 AMSep 26
to net...@groups.cabforum.org

Hi Daniel

 

Telia is happy to endorse these changes.

 

//Antti

 

 

--

Image removed by sender.

Daniel Jeffery | TLS

--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAFa_RQA8t5gsJ1LUFqvXb8RXBJPbg-D1KKX-pBN7cKdNagV3Zg%40mail.gmail.com.

Daniel Jeffery

unread,
Sep 26, 2024, 11:17:02 AMSep 26
to net...@groups.cabforum.org
Reply all
Reply to author
Forward
0 new messages