Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict the scope of the NCSSRs #14

Open
BenWilson-Mozilla opened this issue Apr 1, 2022 · 0 comments
Open

Restrict the scope of the NCSSRs #14

BenWilson-Mozilla opened this issue Apr 1, 2022 · 0 comments
Labels
Scope

Comments

@BenWilson-Mozilla
Copy link
Contributor

2019-Mar-07: Daymion’s approach would be to restrict the scope of the Network Security Requirements (in the Scope section at the beginning of the document). He is considering adding the following:
The network security requirements apply to all system components included in or connected to the publicly trusted certificate authority (CA) environment. The CA environment consists of people, processes and technologies that store, process, or transmit CA data. “System components” include network devices, servers, hardware security modules(HSM), computing devices, and applications residing within the CA environment. Examples of system components include, but are not limited to the following:
a. Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers).
b. Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.
c. Network components including but not limited to firewalls, switches, routers, network appliances, HSM and other security appliances.
d. Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
e. Applications including all purchased and custom applications.
f. Any other component or device located within the CA environment.
To be considered out of scope for CA environment, a system component must be properly isolated (segmented) from the CA environment, such that even if the out-of-scope system component was compromised it could not impact the security of the CA environment.
His proposal would also add definitions for “Certificate Authority Environment” (“The area where certificates are generated, and stored for later transmission to the requester”) and “Connected To” (“Components within the certificate authority environment which exchange data”).
The group discussed parts of the proposed language. The phrase “connected to” received the most criticism because it seemed to be too broad – anything could be considered “connected” whether it is operating, transmitting, or exchanging data. Similarly, “exchange data” was discussed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Scope
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@benwilsonusa @BenWilson-Mozilla