Ballot 83 – Adopt Network and Certificate System Security Requirements

Ballot overview

• Ballot 83 adopts the Network and Certificate System Security Requirements as Version 1.0.
• The ballot states that it passes with 69% of CAs and 66% of Browsers in favor.
• The motion was endorsed by Ben Wilson, Bill Madell, and Rick Andrews.

Scope and applicability

• The requirements apply to all publicly trusted Certification Authorities.
• The text says CAs and Delegated Third Parties should be audited for conformity as soon as the requirements have been incorporated as mandatory requirements in the relevant root embedding program.
• The ballot also says the requirements are intended to be incorporated into WebTrust, ETSI 101 456, and ETSI TS 102 042 criteria.

Security requirements adopted

• The requirements cover network segmentation, secure zones, high security zones, access control, trusted roles, logging, monitoring, alerting, vulnerability detection, and patch management.
• They require controls such as multi-factor authentication, password and account protections, weekly configuration review, log review, vulnerability scans, penetration tests, and critical vulnerability response within 96 hours.
• The document defines terms including Certificate Systems, Delegated Third Party, Issuing System, Root CA System, Secure Zone, High Security Zone, and Critical Vulnerability.

Timing and implementation

• The ballot page states the review period runs from 20 July 2012 at 2100 UTC to 27 July 2012 at 2100 UTC, and the voting period runs from immediately thereafter until 3 Aug 2012 at 2100 UTC.
• The motion states an Effective Date of 1 January 2013.
• The linked PDF is labeled Forum Guideline Effective on 1/1/2013.

Result

• The ballot passed.
• The evidence does not mention any exclusion notices.