On 23/05/17 04:18, Peter Kurrasch wrote:
> I think the term "industry best practices" is too nebulous. For
> example, if I patch some of my systems but not all of them I could
> still make a claim that I am following best practices even though my
> network has plenty of other holes in it.
I'm not sure that "patching half my systems" would be generally accepted
as "industry best practice". But regardless, unless we are planning to
write our own network security document, which we aren't, can you
suggest more robust wording?
> I assume the desire is to hold CA's to account for the security of
> their networks and systems, is that correct? If so, I think we should
> have something with more meat to it. If not, the proposal as written
> is probably just fine (although, do you mean the CABF's "Network
> Security Requirements" spec or is there another guidelines doc?).
Yes, that's the doc I mean (for all its flaws).
> For consideration: Mozilla can--and perhaps should--require that all
> CA's adopt and document a cybersecurity risk management framework for
> their networks and systems (perhaps this is already mandated
> somewhere?). I would expect that the best run CA's will already have
> something like this in place (or something better) but other CA's
> might not. There are pros and cons to such frameworks but at a
> minimum it can demonstrate that a particular CA has at least
> considered the cybersecurity risks that are endemic to their
> business.
If we are playing "too nebulous", I would point out that to meet this
requirement, I could just write my own (very lax) cybersecurity risk
management framework and then adopt it.
Any requirement which is only a few sentences is always going to be
technically gameable. I just want to write something which is not easily
gameable without failing the "laugh test".
Gerv