Ballot SC020: System Configuration Management

Ballot overview

• Ballot SC020: System Configuration Management in the Server Certificate Working Group.
• The ballot failed.
• It was intended to revise Section 1(h) of the Network and Certificate System Security Requirements.

Purpose and proposed changes

• The ballot says Section 1(h) required CAs to review configurations of Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems on at least a weekly basis.
• It cites feedback that weekly review almost always includes automated monitoring plus human review, and that systems are too complex for meaningful human review of configuration changes alone.
• The proposal would replace review with a requirement to systematically enforce and monitor system configurations.
• CAs would identify which configurations are security relevant based on a documented assessment.
• Security-relevant configurations would need to be aligned with the CA’s security policies and standards.
• Policy and standard violations would need to be detected within at most seven days.
• Follow-up action would need to be instigated under the CA’s incident response procedures.
• For systems operated offline and air-gapped, detection should occur at least every thirty days or when the system is powered on.
• The ballot lists examples of security-relevant configurations, including user databases, administrative access channels, configuration management channels, network settings, host-local firewall, host-local IDP/IDS settings, package repositories and other update sources, and operating system logging service or its equivalent.

Approval schedule

• Discussion period: 2020-03-09 17:00:00 UTC to 2020-03-16 17:00:00 UTC.
• Vote period: 2020-03-16 17:00:00 UTC to 2020-03-23 17:00:00 UTC.