Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Policy 2.5 Proposal: Require all CAs to have appropriate network security

208 views
Skip to first unread message

Gervase Markham

unread,
May 19, 2017, 8:56:38 AM5/19/17
to mozilla-dev-s...@lists.mozilla.org
At the moment, the CAB Forum's Network Security guidelines are audited
as part of an SSL BR audit. This means that CAs or sub-CAs which only do
email don't technically have to meet them. However, they also have a
number of deficiencies, and the CAB Forum is looking at replacing them
with something better, ideally maintained by another organization. So
just mandating that everyone follow them doesn't seem like the best thing.

Nevertheless, I think it's valuable to make it clear in our policy that
all CAs are expected to follow best practices for network security. I
suggest this could be done by adding a bullet to section 2.1:

"CAs whose certificates are included in Mozilla's root program MUST:
....
* follow industry best practice for securing their networks, for example
by conforming to the CAB Forum Network Security Guidelines or a
successor document;"

This provides flexibility in exactly what is done, while making it
reasonably clear that leaving systems unpatched for 5 years would not be
acceptable.

This is: https://github.com/mozilla/pkipolicy/issues/70

-------

This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.

Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates

Peter Kurrasch

unread,
May 22, 2017, 11:18:11 PM5/22/17
to Gervase Markham via dev-security-policy, mozilla-dev-s...@lists.mozilla.org
I think the term "industry best practices" is too nebulous. For example, if I patch some of my systems but not all of them I could still make a claim that I am following best practices even though my network has plenty of other holes in it.

I assume the desire is to hold CA's to account for the security of their networks and systems, is that correct? If so, I think we should have something with more meat to it. If not, the proposal as written is probably just fine (although, do you mean the CABF's "Network Security Requirements" spec or is there another guidelines doc?).

For consideration: ‎Mozilla can--and perhaps should--require that all CA's adopt and document a cybersecurity risk management framework for their networks and systems (perhaps this is already mandated somewhere?). I would expect that the best run CA's will already have something like this in place (or something better) but other CA's might not. There are pros and cons to such frameworks but at a minimum it can demonstrate that a particular CA has at least considered the cybersecurity risks that are endemic to their business.


  Original Message  
From: Gervase Markham via dev-security-policy
Sent: Friday, May 19, 2017 7:56 AM
To: mozilla-dev-s...@lists.mozilla.org
Reply To: Gervase Markham
Subject: Policy 2.5 Proposal: Require all CAs to have appropriate network security
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Gervase Markham

unread,
May 23, 2017, 6:24:13 AM5/23/17
to Peter Kurrasch
On 23/05/17 04:18, Peter Kurrasch wrote:
> I think the term "industry best practices" is too nebulous. For
> example, if I patch some of my systems but not all of them I could
> still make a claim that I am following best practices even though my
> network has plenty of other holes in it.

I'm not sure that "patching half my systems" would be generally accepted
as "industry best practice". But regardless, unless we are planning to
write our own network security document, which we aren't, can you
suggest more robust wording?

> I assume the desire is to hold CA's to account for the security of
> their networks and systems, is that correct? If so, I think we should
> have something with more meat to it. If not, the proposal as written
> is probably just fine (although, do you mean the CABF's "Network
> Security Requirements" spec or is there another guidelines doc?).

Yes, that's the doc I mean (for all its flaws).

> For consideration: ‎Mozilla can--and perhaps should--require that all
> CA's adopt and document a cybersecurity risk management framework for
> their networks and systems (perhaps this is already mandated
> somewhere?). I would expect that the best run CA's will already have
> something like this in place (or something better) but other CA's
> might not. There are pros and cons to such frameworks but at a
> minimum it can demonstrate that a particular CA has at least
> considered the cybersecurity risks that are endemic to their
> business.

If we are playing "too nebulous", I would point out that to meet this
requirement, I could just write my own (very lax) cybersecurity risk
management framework and then adopt it.

Any requirement which is only a few sentences is always going to be
technically gameable. I just want to write something which is not easily
gameable without failing the "laugh test".

Gerv

Peter Kurrasch

unread,
May 24, 2017, 10:31:49 AM5/24/17
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
It might be fair to characterize my position as "vague but comprehensive"...if that's even possible? There are some standard-ish frameworks that could be adopted:

- NIST has an existing framework that is currently going through some sort of update/revisory process.

- ISO has 27032:2012 which looks to have some good stuff in it.

‎- Perhaps surprisingly enough, the American Institute of CPA's has a variety of information that looks to be a good starting point for anyone.

I would be interested in knowing if other people know of other frameworks and have experience using any of them. I'm certainly not advocating that any of the above be used here or that they are necessarily even good resources for folks in the CA space.

Back to laughable security, my issue is that there are many ways an organization might experience a security breakdown in ways that cause severe face damage to security folks due to either excessive face palms or banging ones head against the wall or even laughing too hard. Examples include: ‎allowing week passwords (by employees), poor password management, inadequate access controls, weak network intrusion detection, insufficient protection from well-known web application vulnerabilities (e.g. SQL injection), and the list goes on.

If you'd like to keep the policy to a sentence or so, perhaps we could use some "including but not limited to" verbiage? 


From: Gervase Markham
Sent: Tuesday, May 23, 2017 5:23 AM
Subject: Re: Policy 2.5 Proposal: Require all CAs to have appropriate network security

On 23/05/17 04:18, Peter Kurrasch wrote:
> I think the term "industry best practices" is too nebulous. For
> example, if I patch some of my systems but not all of them I could
> still make a claim that I am following best practices even though my
> network has plenty of other holes in it.

I'm not sure that "patching half my systems" would be generally accepted
as "industry best practice". But regardless, unless we are planning to
write our own network security document, which we aren't, can you
suggest more robust wording?

> I assume the desire is to hold CA's to account for the security of
> their networks and systems, is that correct? If so, I think we should
> have something with more meat to it. If not, the proposal as written
> is probably just fine (although, do you mean the CABF's "Network
> Security Requirements" spec or is there another guidelines doc?).

Yes, that's the doc I mean (for all its flaws).

> For consideration: ‎Mozilla can--and perhaps should--require that all
> CA's adopt and document a cybersecurity risk management framework for
> their networks and systems (perhaps this is already mandated
> somewhere?). I would expect that the best run CA's will already have
> something like this in place (or something better) but other CA's
> might not. There are pros and cons to such frameworks but at a
> minimum it can demonstrate that a particular CA has at least
> considered the cybersecurity risks that are endemic to their
> business.

Gervase Markham

unread,
May 24, 2017, 10:56:40 AM5/24/17
to Peter Kurrasch
On 24/05/17 15:31, Peter Kurrasch wrote:
> It might be fair to characterize my position as "vague but
> comprehensive"...if that's even possible? There are some standard-ish
> frameworks that could be adopted:

I think we would prefer to wait for the CAB Forum to adopt something
rather than attempting to define and enforce our own. If for no other
reason than the CAB Forum thing is more likely to be audited and
therefore to have actual teeth.

> If you'd like to keep the policy to a sentence or so, perhaps we could
> use some "including but not limited to" verbiage?

Well, the draft wording we started with used "for example"... :-)

Gerv

Peter Kurrasch

unread,
May 24, 2017, 3:34:50 PM5/24/17
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
Fair enough. This is absolutely the sort of stuff that needs to be part of regular auditing. I was wondering what sort of checking or enforcement you had in mind by including it in the Mozilla policy now? Perhaps you just want the CA's to be reminded that cybersecurity issues are important despite the CABF docs on the matter being too weak?

I have no qualms using "for example". I would like for more to be mentioned than just software updates but even there I don't feel too strongly about it.

From: Gervase Markham
Sent: Wednesday, May 24, 2017 9:56 AM
Subject: Re: Policy 2.5 Proposal: Require all CAs to have appropriate network security

On 24/05/17 15:31, Peter Kurrasch wrote:
> It might be fair to characterize my position as "vague but
> comprehensive"...if that's even possible? There are some standard-ish
> frameworks that could be adopted:

I think we would prefer to wait for the CAB Forum to adopt something
rather than attempting to define and enforce our own. If for no other
reason than the CAB Forum thing is more likely to be audited and
therefore to have actual teeth.

> If you'd like to keep the policy to a sentence or so, perhaps we could
> use some "including but not limited to" verbiage?

Gervase Markham

unread,
May 31, 2017, 7:23:38 AM5/31/17
to mozilla-dev-s...@lists.mozilla.org
On 19/05/17 13:55, Gervase Markham wrote:
> "CAs whose certificates are included in Mozilla's root program MUST:
> .....
> * follow industry best practice for securing their networks, for example
> by conforming to the CAB Forum Network Security Guidelines or a
> successor document;"

Implemented as specced.

Gerv
0 new messages