[netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

193 views
Skip to first unread message

Miguel Sanchez

unread,
Oct 7, 2024, 12:33:29 PMOct 7
to NetSec Forum

Voting has commenced for Ballot NS-004


Ballot NS-004 is proposed by David Kluge of Google Trust Services and endorsed by Clint Wilson of Apple and Trevoli Ponds-White of Amazon.


    Purpose of the Ballot


Section 4 of the Network and Certificate System Security Requirements (NCSSRs) requires CAs to perform a number of vulnerability management practices focusing on patching, vulnerability scans and penetration tests. This Ballot replaces Section 4 with a more comprehensive vulnerability management approach that is not limited to these practices.


     Reasons for the Proposal


Vulnerability scans and penetration tests are useful controls but are insufficient if they are not embedded in a broader set of policies and procedures to address CA specific risks.


Also, the CA’s vulnerability management processes should not be limited to critical vulnerabilities. CAs should address all vulnerabilities within defined timelines which are proportionate to the risk they pose. These remediation timelines should be disclosed in the CA’s CPS. All systems in the CA’s inventory of Certificate Systems should be in scope of the CA’s vulnerability management processes. 


Similarly, CAs should define after which system changes they perform non-periodic penetration tests. This definition can vary from CA to CA. As a guideline, we assume that a penetration test is necessary if the change alters the data flow between certificate systems or if it introduces new service integrations.


     Relation to Ballot NS-003


Ballot NS-004 includes minor revisions to clarify some of the system definitions of Ballot NS-003.


--- Motion Begins ---


This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.


MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/compare/341fe5904976541b546172d08d8117a99a4141c2...4100324bdad1b6545a68fc5fdcc8161a1ea46777

 

When approved, this Ballot takes effect on the IPR completion date.


--- Motion Ends ---


Discussion (7+ days)


Start Time: September 24th, 2024 16:08 UTC

End Time: October 3rd, 2024 18:33 UTC


Vote for approval (7 days)


Start Time: October 3rd, 2024 18:35 UTC

End Time: October 10th, 2024 18:35 UTC


--

Thanks,

Miguel Sanchez |
 Google Trust Services | migu...@google.com | pki.goog 

Ben Wilson

unread,
Oct 7, 2024, 12:54:24 PMOct 7
to net...@groups.cabforum.org
Mozilla votes in favor of Ballot NS-004.

--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVrdj6qsQZkdc8TUA9qbjai%3Dhf7Kv7JpVAPZQrf9bmBV%3DA%40mail.gmail.com.

Daniel Jeffery

unread,
Oct 7, 2024, 2:47:47 PMOct 7
to net...@groups.cabforum.org
Miguel, since the timing here got a little off, I'm concerned about this getting merged after NS-005 and clobbering the extension of 1.7 compliance to March. Should we just adjust line 182 to allow 1.7?

Bruce Morton

unread,
Oct 7, 2024, 3:38:54 PMOct 7
to net...@groups.cabforum.org

Since voting has started, for this to change, I believe that we need to vote No, so the ballot will fail and we can start over.

 

 

Bruce.

 

From: 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Monday, October 7, 2024 2:48 PM
To: net...@groups.cabforum.org
Subject: [EXTERNAL] Re: [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

 

Miguel, since the timing here got a little off, I'm concerned about this getting merged after NS-005 and clobbering the extension of 1.7 compliance to March. Should we just adjust line 182 to allow 1.7? On Mon, Oct 7, 2024, 09:54 'Ben

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

Wellbeing Notice: Receiving this email outside of normal working hours? Managing work and life responsibilities is unique for everyone. I have sent this email at a time that works for me.
Unless this email is specifically marked urgent, please respond at a time that works for you.

Daniel Jeffery

unread,
Oct 7, 2024, 5:03:13 PMOct 7
to net...@groups.cabforum.org
The other option I can see would be to just have it reference 2.1 or NS-005-version-TBD instead of 2.0. As I understand it, version numbers don't get assigned until after the vote since we shouldn't assume that it will pass. That would put everything right and perhaps doesn't require restarting the vote/discussion period.

Dan

Martijn Katerbarg

unread,
Oct 7, 2024, 8:03:06 PMOct 7
to net...@groups.cabforum.org

While I know that was done for a different ballot recently, actually the proposer has the ability to withdraw a ballot at any time during the voting process.

 

Regards,

Martijn

 

From: 'Bruce Morton' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Date: Monday, 7 October 2024 at 12:39
To: net...@groups.cabforum.org <net...@groups.cabforum.org>
Subject: RE: [EXTERNAL] Re: [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Dimitris Zacharopoulos (HARICA)

unread,
Oct 8, 2024, 8:00:40 PMOct 8
to 'Miguel Sanchez' via NetSec WG - Public (CA/B Forum)
HARICA votes "no" to Ballot NS-004.

We believe that Guidelines should avoid language that creates confusion and uncertainty about what CAs should implement.

For example, the following language:

Prior to 2025-04-22, the CA SHALL adhere to these Requirements or Version 2.0 of the Network and Certificate System Security Requirements. Effective 2025-04-22, the CA SHALL adhere to these Requirements.

doesn't help CAs implement a concrete set of requirements because they are in a "quantum state" where more than one versions are equally effective. It can get more confusing with audit reports where the criteria are against version Y, but effectively it would be against version X (X<Y) because this is allowed in version Y.

In our opinion, when significant concerns are discovered late in the ballot process but remain unaddressed, ballots should be rescinded allowing more time for discussion and clarity.


Thank you,
Dimitris.

Miguel Sanchez

unread,
Oct 9, 2024, 4:45:23 PMOct 9
to net...@groups.cabforum.org
After discussing this at the F2F, I am officially withdrawing this ballot from voting. No need to continue voting. 

I will restart the discussion period, after some changes, next week.

Thank you, all. 

-Miguel 

Reply all
Reply to author
Forward
0 new messages