I think the term "industry best practices" is too nebulous. For example, if I patch some of my systems but not all of them I could still make a claim that I am following best practices even though my network has plenty of other holes in it.
I assume the desire is to hold CA's to account for the security of their networks and systems, is that correct? If so, I think we should have something with more meat to it. If not, the proposal as written is probably just fine (although, do you mean the CABF's "Network Security Requirements" spec or is there another guidelines doc?). For consideration: Mozilla can--and perhaps should--require that all CA's adopt and document a cybersecurity risk management framework for their networks and systems (perhaps this is already mandated somewhere?). I would expect that the best run CA's will already have something like this in place (or something better) but other CA's might not. There are pros and cons to such frameworks but at a minimum it can demonstrate that a particular CA has at least considered the cybersecurity risks that are endemic to their business. Original Message From: Gervase Markham via dev-security-policy Sent: Friday, May 19, 2017 7:56 AM To: mozilla-dev-security-pol...@lists.mozilla.org Reply To: Gervase Markham Subject: Policy 2.5 Proposal: Require all CAs to have appropriate network security At the moment, the CAB Forum's Network Security guidelines are audited as part of an SSL BR audit. This means that CAs or sub-CAs which only do email don't technically have to meet them. However, they also have a number of deficiencies, and the CAB Forum is looking at replacing them with something better, ideally maintained by another organization. So just mandating that everyone follow them doesn't seem like the best thing. Nevertheless, I think it's valuable to make it clear in our policy that all CAs are expected to follow best practices for network security. I suggest this could be done by adding a bullet to section 2.1: "CAs whose certificates are included in Mozilla's root program MUST: .... * follow industry best practice for securing their networks, for example by conforming to the CAB Forum Network Security Guidelines or a successor document;" This provides flexibility in exactly what is done, while making it reasonably clear that leaving systems unpatched for 5 years would not be acceptable. This is: https://github.com/mozilla/pkipolicy/issues/70 ------- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
