In order to have access to one cabinets, how many person may be notified? 在2023年1月29日星期日 UTC+8 21:05:41<wash...@gmail.com> 写道:
> Thanks. > Q: what ensures a person cannot access cabinet A from one environment and > then cabinet B from a second environment? Is there physical separation of > the cabinets, or are they still physically located near each other where a > reasonable individual might incidentally open the wrong cabinet? > Ans: The global and domestic systems are installed in separated cabinets > located in the same secure room. Each cabinet is equipped with a padlock > and numeric combination lock to prevent single person from accessing the > global and domestic cabinets alone. > The passwords of the numeric combination locks are kept by the security > administrator of the secure room. The brass keys of padlocks are kept by > operational staffs of the control room outside layers of secure rooms. > Cabinets can be opened after authorization from the management according to > the physical access requests from system administrators. System > administrators do not have privileges to open the cabinets. > 在2023年1月29日星期日 UTC+8 07:25:49<ke ju> 写道: > >> On Thursday, January 26, 2023 at 7:18:53 PM UTC-5 wash...@gmail.com >> wrote: >> Thanks. Happy New Year. Sorry, the Spring Festival holiday delayed some >> time. >> >> BJCA separates and operates two independent certification systems in the >> following aspects: >> 1. Certification Practice Statement >> i. Global Certification system CPS >> <https://www.bjca.cn/u4d/%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%EF%BC%88CPS%EF%BC%89/files/%E5%8C%97%E4%BA%AC%E6%95%B0%E5%AD%97%E8%AE%A4%E8%AF%81%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%E5%85%A8%E7%90%83%E8%AE%A4%E8%AF%81%E4%BD%93%E7%B3%BB%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%20Beijing%20Certificate%20Authority%20Co.,%20Ltd.%20Global%20Certification%20Practice%20Statement.pdf> >> ii. Domestic Certification system CPS >> <https://www.bjca.cn/u4d/%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%EF%BC%88CPS%EF%BC%89/files/%E5%8C%97%E4%BA%AC%E6%95%B0%E5%AD%97%E8%AE%A4%E8%AF%81%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99.pdf> >> >> 2. The two independent certification management systems are operated >> within its own segmented networks and resources such as cabinets, server >> hardwares, operating system environments and HSMs are independent and not >> shared. >> >> what ensures a person cannot access cabinet A from one environment and >> then cabinet B from a second environment? >> >> Is there physical separation of the cabinets, or are they still >> physically located near each other where a reasonable individual might >> incidentally open the wrong cabinet? >> 3. A Policy Management Authority (PMA) within the company is responsible >> for monitoring the operations of the two certification management systems. >> The CEO of the company is the chief of the PMA now. All members of the PMA >> are employees of the company. >> >> 4. The operation team members have to be approved by the PMA and trained >> for qualification before being enlisted in the trusted-role list of the >> Global Certification Management System to get into regular operation >> activities. Physical and logical access priviledges for Global >> Certification Management System are issued following the roles of >> operations in the trusted-role list. All members of the operation team are >> full-time employees working for the company. >> >> 5. Automated monitoring system which detects unauthorized changes to >> critical files or send alerts for security events has been implemented. >> >> 6. Automation has been implemented on the global certification system for >> checking, such as linting tools certlint, x509lint and zlint. >> >> 7. In order to maintain compliance, BJCA has built up ISO 27001 ISMS as >> the foundation of its management and got certified. BJCA conducts regular >> internal audits and risk assessments following its ISMS management system >> requirements. BJCA also accept external audits for the two independent >> certification management systems: >> i. The global certification system: WebTrust. >> ii. The domestic certification system: regular audit of the authority >> department of the government to maintain its certification service license. >> 在2023年1月27日星期五 UTC+8 01:03:56<bwi...@mozilla.com> 写道: >> I have added BJCA's email addresses, including "wash...@gmail.com", to >> the list with posting privileges. Hopefully this will enable some responses. >> Thanks, >> Ben >> >> On Thu, Jan 26, 2023 at 9:00 AM Ben Wilson <bwi...@mozilla.com> wrote: >> From BJCA - >> Hi Ben, >> When we reply to the forum through our gmail account, we are prompted >> that we have no permission. This gmail address (wash...@gmail.com) >> represents BJCA, please help to add permissions so that we can participate >> in the discussion, thank you. >> >> lip...@bjca.org.cn >> ------------------------ >> I'll see what I can do to get this straightened out. >> Ben >> >> On Wed, Jan 25, 2023 at 7:06 PM Kurt Seifried <ku...@seifried.org> wrote: >> Is BJCA.cn still on this list? if we've only got 3 weeks (21 days) and >> they take 2+ days to answer we're going to run out of time pretty quickly. >> >> On Mon, Jan 23, 2023 at 6:11 PM Kurt Seifried <ku...@seifried.org> wrote: >> This seems to mostly depend upon BJCA.cn disclosing information to us. >> Information we have asked for in the past but been told is "confidential" >> and so on. >> >> So with this in mind: BJCA.cn: can you please explain how your company is >> structured to prevent subversion of the root certificate authority? E.g. >> technical measures can be circumvented trivially if the people running them >> are told to do so (and if they don't they can be replaced with people that >> will). >> >> On Mon, Jan 23, 2023 at 4:57 PM Ben Wilson <bwi...@mozilla.com> wrote: >> All, >> >> We recently concluded a six-week public discussion on the CCADB Public >> list for the root inclusion request of Beijing CA (BJCA), >> https://groups.google.com/a/ccadb.org/g/public/c/o9lbCbr92Ug/m/lPkqrHF1DQAJ. >> This >> email is to announce a continued 3-week discussion of BJCA’s inclusion >> application to be held on this list. The reason for this continued >> discussion is that we need to gather more information to better understand >> BJCA’s operational and management controls and the One Pass software (among >> any other issues that might be raised during this continued discussion). >> >> The current state of our understanding is summarized in the post >> referenced in the link above. That is, BJCA operates two different >> infrastructures, one that meets the needs of its national government and >> another that aims to meet the needs of the global public. Also, according >> to BJCA, the One Pass software was mislabelled as spyware. >> >> There hasn’t been enough evidence yet to make conclusions about these two >> questions–how is management and operation of the two infrastructures >> separated, given that they both are part of the same company, and did the >> Beijing One Pass software have any components that would be considered >> spyware? I would expect that BJCA might want to respond initially to these >> questions, even if they believe that they have answered them adequately in >> the past. >> >> We need fact-based discourse that answers these questions. >> >> In addition to these questions, does anyone have examples of other >> conduct by BJCA or insights into its practices? Can anyone provide more >> information about BJCA’s information security practices, compliance with >> international standards, or performance under other metrics that will help >> determine its future conduct, were it to become a publicly trusted CA? >> >> I’d like to continue this discussion through Monday, February 13, 2023. >> As with the public discussion held on CCADB Public, please reply directly >> in this discussion thread with thoughtful and constructive comments, and a >> representative of BJCA must respond here to all questions or issues that >> are raised. >> >> Thanks, >> >> Ben >> >> -- >> You received this message because you are subscribed to the Google Groups >> "dev-secur...@mozilla.org" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to dev-security-po...@mozilla.org. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRA81B1SF%3DSRF%3DPsJJcNsoq70hDZO703yOtG4FMPajTw%40mail.gmail.com >> >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRA81B1SF%3DSRF%3DPsJJcNsoq70hDZO703yOtG4FMPajTw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> >> -- >> Kurt Seifried (He/Him) >> ku...@seifried.org >> >> >> -- >> Kurt Seifried (He/Him) >> ku...@seifried.org >> > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a2908103-c519-4d01-a55b-a190b8937c16n%40mozilla.org.
