[netsec] Discussion Period Begins: Ballot NS-004 "Updating Section 4 - Vulnerability Management - of the NSRs"
Miguel Sanchez
Restarting the discussion period for Ballot NS-004. The only change from the previous version is to the effective date which now states: "The CA SHALL adhere to these Requirements on or before 2025-04-29".
Ballot NS-004 is proposed by David Kluge of Google Trust Services and endorsed by Clint Wilson of Apple and Trevoli Ponds-White of Amazon.
Purpose of the Ballot
Section 4 of the Network and Certificate System Security Requirements (NCSSRs) requires CAs to perform a number of vulnerability management practices focusing on patching, vulnerability scans and penetration tests. This Ballot replaces Section 4 with a more comprehensive vulnerability management approach that is not limited to these practices.
Reasons for the Proposal
Vulnerability scans and penetration tests are useful controls but are insufficient if they are not embedded in a broader set of policies and procedures to address CA specific risks.
Also, the CA’s vulnerability management processes should not be limited to critical vulnerabilities. CAs should address all vulnerabilities within defined timelines which are proportionate to the risk they pose. These remediation timelines should be disclosed in the CA’s CPS. All systems in the CA’s inventory of Certificate Systems should be in scope of the CA’s vulnerability management processes.
Similarly, CAs should define after which system changes they perform non-periodic penetration tests. This definition can vary from CA to CA. As a guideline, we assume that a penetration test is necessary if the change alters the data flow between certificate systems or if it introduces new service integrations.
Relation to Ballot NS-003
Ballot NS-004 includes minor revisions to clarify some of the system definitions of Ballot NS-003.
--- Motion Begins ---
This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.
MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/pull/34/files#diff-ed3f4facad5588c9445170bb7796257d35d52c6c38793bfeab126370b7022ec8
When approved, this Ballot takes effect on the IPR completion date.
--- Motion Ends ---
Discussion (7 days)
Start Time: October 16th, 2024 16:30 UTC
End Time: October 23rd, 2024 16:30 UTC
Vote for approval (7 days)
Start Time: TBD
End Time: TBD
Corey Bonnell
Hello,
Two comments on the ballot text:
- The following definitions are now unused and should be removed:
- Critical Vulnerability
- Vulnerability Scan
- OWASP Top Ten
- SANS Top 25
- National Vulnerability Database (NVD)
- Common Vulnerability Scoring System (CVSS)
- Penetration Test (“penetration testing” (lowercase) is used in several locations but no references to the Defined Term)
- “The CA SHALL adhere to these Requirements on or before 2025-04-29.”. This text provides no guidance for CAs on how to comply with the NCSSRs prior to this date. I would recommend adding another sentence explaining which document(s) are in force prior to this transition date.
Thanks,
Corey
--
You received this message because you are subscribed to the Google Groups "NetSec WG - Public (CA/B Forum)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsec+un...@groups.cabforum.org.
To view this discussion on the web visit https://groups.google.com/a/groups.cabforum.org/d/msgid/netsec/CAKMggVotfT%2B7wv_kM3ureMLbCUVvuwBMF6UTHvHQo%2BVyJZJV%3Dg%40mail.gmail.com.
Cade Cairns
We are restarting the discussion period for Ballot NS-004 again after changes were made in response to recent feedback received via this list and this week's working group call held on 2024-10-22. The latest changes removes several unused definitions and copies the effective date from ballot NS-005, clarifying which version of the NSRs are in force prior to that date.
Ballot NS-004 is proposed by David Kluge of Google Trust Services and endorsed by Clint Wilson of Apple and Trevoli Ponds-White of Amazon.
Purpose of the Ballot
Section 4 of the Network and Certificate System Security Requirements (NCSSRs) requires CAs to perform a number of vulnerability management practices focusing on patching, vulnerability scans and penetration tests. This Ballot replaces Section 4 with a more comprehensive vulnerability management approach that is not limited to these practices.
Reasons for the Proposal
Vulnerability scans and penetration tests are useful controls but are insufficient if they are not embedded in a broader set of policies and procedures to address CA specific risks.
Also, the CA’s vulnerability management processes should not be limited to critical vulnerabilities. CAs should address all vulnerabilities within defined timelines which are proportionate to the risk they pose. These remediation timelines should be disclosed in the CA’s CPS. All systems in the CA’s inventory of Certificate Systems should be in scope of the CA’s vulnerability management processes.
Similarly, CAs should define after which system changes they perform non-periodic penetration tests. This definition can vary from CA to CA. As a guideline, we assume that a penetration test is necessary if the change alters the data flow between certificate systems or if it introduces new service integrations.
Relation to Ballot NS-003
Ballot NS-004 includes minor revisions to clarify some of the system definitions of Ballot NS-003.
--- Motion Begins ---
This ballot modifies the Network and Certificate System Security Requirements (NCSSRs), based on Version 2.0.
MODIFY the NCSSRs as specified in the following Redline: https://github.com/cabforum/netsec/pull/34/files#diff-ed3f4facad5588c9445170bb7796257d35d52c6c38793bfeab126370b7022ec8
When approved, this Ballot takes effect on the IPR completion date.
--- Motion Ends ---
Discussion (7 days)
Start Time: October 16th, 2024 15:30 UTC
End Time: October 31rd, 2024 15:30 UTC