Voting has commenced for Ballot NS-004
Ballot NS-004 is proposed by David Kluge of Google Trust Services and endorsed by Clint Wilson of Apple and Trevoli Ponds-White of Amazon.
Purpose of the Ballot
Section 4 of the Network and Certificate System Security Requirements (NCSSRs) requires CAs to perform a number of vulnerability management practices focusing on patching, vulnerability scans and penetration tests. This Ballot replaces Section 4 with a more comprehensive vulnerability management approach that is not limited to these practices.
Reasons for the Proposal
Vulnerability scans and penetration tests are useful controls but are insufficient if they are not embedded in a broader set of policies and procedures to address CA specific risks.
Also, the CA’s vulnerability management processes should not be limited to critical vulnerabilities. CAs should address all vulnerabilities within defined timelines which are proportionate to the risk they pose. These remediation timelines should be disclosed in the CA’s CPS. All systems in the CA’s inventory of Certificate Systems should be in scope of the CA’s vulnerability management processes.
Similarly, CAs should define after which system changes they perform non-periodic penetration tests. This definition can vary from CA to CA. As a guideline, we assume that a penetration test is necessary if the change alters the data flow between certificate systems or if it introduces new service integrations.
Relation to Ballot NS-003
Ballot NS-004 includes minor revisions to clarify some of the system definitions of Ballot NS-003.
--- Motion Begins ---
This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.
MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/compare/341fe5904976541b546172d08d8117a99a4141c2...4100324bdad1b6545a68fc5fdcc8161a1ea46777
When approved, this Ballot takes effect on the IPR completion date.
--- Motion Ends ---
Discussion (7+ days)
Start Time: September 24th, 2024 16:08 UTC
End Time: October 3rd, 2024 18:33 UTC
Vote for approval (7 days)
Start Time: October 3rd, 2024 18:35 UTC
End Time: October 10th, 2024 18:35 UTC
--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVrdj6qsQZkdc8TUA9qbjai%3Dhf7Kv7JpVAPZQrf9bmBV%3DA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CA%2B1gtaZLJ3VVRhGufSUTF0npb-tqx8a4wpa9Ro-G%2BMWdAVCjfw%40mail.gmail.com.
Since voting has started, for this to change, I believe that we need to vote No, so the ballot will fail and we can start over.
Bruce.
From: 'Daniel Jeffery' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Sent: Monday, October 7, 2024 2:48 PM
To: net...@groups.cabforum.org
Subject: [EXTERNAL] Re: [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"
Miguel, since the timing here got a little off, I'm concerned about this getting merged after NS-005 and clobbering the extension of 1. 7 compliance to March. Should we just adjust line 182 to allow 1. 7? On Mon, Oct 7, 2024, 09: 54 'Ben
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAFa_RQDEA_zvk0oq0SU%3DB_-WrDFHuXxK2ZtccOGhuSCw4mcz_A%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/DS0PR11MB78519DF92164F9681FB0E9F4827D2%40DS0PR11MB7851.namprd11.prod.outlook.com.
While I know that was done for a different ballot recently, actually the proposer has the ability to withdraw a ballot at any time during the voting process.
Regards,
Martijn
From: 'Bruce Morton' via NetSec WG - Public (CA/B Forum) <net...@groups.cabforum.org>
Date: Monday, 7 October 2024 at 12:39
To: net...@groups.cabforum.org <net...@groups.cabforum.org>
Subject: RE: [EXTERNAL] Re: [netsec] Voting Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/DS0PR11MB78519DF92164F9681FB0E9F4827D2%40DS0PR11MB7851.namprd11.prod.outlook.com.
Prior to 2025-04-22, the CA SHALL adhere to these Requirements or Version 2.0 of the Network and Certificate System Security Requirements. Effective 2025-04-22, the CA SHALL adhere to these Requirements.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/818b6f42-71d3-4834-ac60-4ae24198548b%40harica.gr.