CA Infrastructure Scope

[Clint Wilson]

Hi all,

I’ve opened PR#44 (https://github.com/cabforum/netsec/pull/44) with the changes we discussed yesterday. https://github.com/cabforum/netsec/blob/ca-infrastructure-scope/docs/NSR.md is an example of the NCSSRs after 1) the incorporation of NS-004 and NS-006; 2) the removal of 4 “Systems” definitions (Certificate Management, Delegated Third Party, Issuing, and Security Support); and 3) a few minor cleanups.

My understanding is that we need to determine the impact of these changes in minimally 2 ways:

1. Are there uses of CA Infrastructure which imply or mandate an overly broad scope of associated requirements?

2. Are there uses of CA Infrastructure which do not adequately incorporate the necessary scope for associated requirements?

In the second category, a concern would be that the Systems used to manage audit logging, authentication, intrusion detection, etc. are not clearly in scope of requirements such as 1.2.1 (CA infra in a physically secure environment). This may be mitigated by 1.2.3, which requires equivalent security for any Systems (whether or not explicitly defined within the NCSSRs) on the same network as CA Infrastructure, but it is still a change in the requirements afaict.

Please feel free to discuss here or on the PR. Thank you!

-Clint