NS005: Clarifications to sections 1, 2 and a definition prior to NS003 taking effect (#38)

danjeffery · clintwilson · web-flow · commit 6bf3a2fbabca · 2024-11-12T07:56:01.000-08:00
* Incorporate clarifications to:
- Workstation definition
- 1.2.2
- 2.2.1.2
- 2.2.2
- 2.2.5

* Incorporate community feedback

* Add Fido2 specification

* Latest iteration after subgroup meeting 2024-09-11

* Final (hopefully) tweaks to the language for NS005

* Last amend to clear up OCSP and CRL in 1.2.2

* Reference 1.7 to give more time for adoption

* Update build-draft-docs.yml

---------

Co-authored-by: Clint Wilson &lt;clint@wilsonovi.com&gt;
diff --git a/.github/workflows/build-draft-docs.yml b/.github/workflows/build-draft-docs.yml
@@ -33,4 +33,4 @@ jobs:
             ${{ steps.build_doc.outputs.pdf_file }}
             ${{ steps.build_doc.outputs.docx_file }}
             ${{ steps.build_doc.outputs.pdf_redline_file }}
-          if-no-files-found: 'error'
+          if-no-files-found: 'error'
diff --git a/docs/NSR.md b/docs/NSR.md
@@ -1,9 +1,9 @@
 ---
 title: Network and Certificate System Security Requirements
-subtitle: Version 2.0
+subtitle: Version 2.2
 author:
   - CA/Browser Forum
-date: 05 June, 2024
+date: 27 September, 2024
 copyright: |
   Copyright 2024 CA/Browser Forum
 
@@ -103,6 +103,7 @@ The following are outcomes that this document seeks to achieve:
    1. something the user knows (knowledge factor);
    2. something the user has (possession factor); and
    3. something the user is (inherence factor).
+
 Each factor is independent of the other(s).
 
 **Multi-Party Control**: An access control mechanism which requires two or more separate, authorized users to successfully authenticate with their own unique credentials prior to access being granted.
@@ -172,14 +173,11 @@ Each factor is independent of the other(s).
 
 **Vulnerability Scan**: A process that uses manual or automated tools to probe internal and external systems to check and report on the status of operating systems, services, and devices exposed to the network and the presence of vulnerabilities listed in the NVD, OWASP Top Ten, or SANS Top 25.
 
-**Workstation**: A device, such as a phone, tablet, or desktop or laptop computer, which is:
-
-   1. connected to the same network as CA Infrastructure and/or Network Equipment; and
-   2. capable of accessing CA Infrastructure and/or Network Equipment.
+**Workstation**: A device, such as a phone, tablet, or desktop or laptop computer, which is capable of accessing CA Infrastructure and/or Network Equipment with elevated privileges compared to any given point on the general internet.
 
 ## Requirements
 
-Prior to 2024-11-12, the CA SHALL adhere to these Requirements or Version 1.7 of the Network and Certificate System Security Requirements. Effective 2024-11-12, the CA SHALL adhere to these Requirements.
+Prior to 2025-03-12, the CA SHALL adhere to these Requirements or Version 1.7 of the Network and Certificate System Security Requirements. Effective 2025-03-12, the CA SHALL adhere to these Requirements.
 
 ### 1. CA Infrastructure and Network Equipment Configuration
 
@@ -220,10 +218,7 @@ CA Infrastructure MUST be in a Physically Secure Environment.
 
 ##### 1.2.2
 
-CA Infrastructure and Network Equipment MUST be implemented and configured to authenticate and encrypt connections:
-
-   1. between CA Infrastructure components; and
-   2. between CA Infrastructure and non-CA Infrastructure.
+Connections to and within the CA Infrastructure MUST be authenticated and encrypted except OCSP and CRL.
 
 CA Infrastructure and Network Equipment MUST be implemented and configured in a manner that minimizes unnecessary active components and capabilities such that:
 
@@ -301,7 +296,9 @@ The CA MUST ensure personnel assigned to Trusted Roles that are authorized to ac
 
 ###### 2.2.1.2
 
-The CA MUST NOT allow group accounts or shared role credentials to authenticate to or access CA Infrastructure and/or Network Equipment.
+The CA SHOULD NOT allow group accounts or shared role credentials to authenticate to or access CA Infrastructure and/or Network Equipment. If group accounts or shared role credentials are used, the CA MUST be able to attribute each use to
+    * an approved activity; and
+    * an individual user or service account.
 
 ###### 2.2.1.3
 
@@ -321,11 +318,7 @@ The CA MUST ensure security measures are implemented that minimize the susceptib
 
 ##### 2.2.2
 
-The CA SHOULD ensure Workstations are configured in a manner that prevents continued access to the Workstation after a set period of inactivity, for example by automatically logging off active users. The allowed and configured duration of inactivity MUST be selected based on the CA's assessment of associated risks.
-
-The CA MAY allow a Workstation to remain active and unattended if the Workstation is otherwise secured and running administrative tasks that would be interrupted by an inactivity time‐out or system lock.
-
-The CA MUST ensure personnel assigned to Trusted Roles log out of or lock their Workstation(s) when not in active use.
+The CA MUST ensure Workstations are configured in a manner that prevents continued access to the Workstation after a set period of inactivity, for example by automatically logging off active users. The allowed and configured duration of inactivity MUST be selected based on the CA's assessment of associated risks.
 
 ##### 2.2.3
 
@@ -334,24 +327,18 @@ The CA MUST enforce the use of Multi-Factor Authentication for:
    1. accounts on CA Infrastructure; and
    2. access to CA Infrastructure.
 
-Authentication based on the possession of a certificate can be used as part of Multi-factor Authentication only if the associated Private Key is stored in a key storage device certified as:
-
-* meeting at least FIPS 140-2 or 140-3, level 2 overall or level 3 physical; or
-* validated against a Common Criteria Protection Profile for Digital Signatures at EAL 4 augmented with AVA_VAN >=5 and ALC_FLR >= 2.
+Authentication based on the possession of a cryptographic key can be used as part of Multi-factor Authentication only if that key is stored in a key storage device that is designed to prevent extraction.
 
 ##### 2.2.4
 
 The CA MUST enforce the use of Multi-Party Control for physical access to any Root CA System.
 
 ##### 2.2.5
 
-The CA SHOULD ensure passwords used as authentication credentials for accounts on CA Infrastructure, Network Equipment, or Workstations are generated and managed in accordance with NIST 800-63B Appendix A.
-
-The CA SHALL NOT require periodic password changes with a period less than two (2) years.
-
-The CA MUST ensure passwords used as authentication credentials for accounts on CA Infrastructure have a minimum of twelve (12) characters.
+The CA SHOULD ensure passwords used as authentication credentials for accounts on CA Infrastructure, Network Equipment, or Workstations are generated and managed in accordance with NIST 800-63B Revision 3 Appendix A. Access to shared credentials MUST:
 
-The CA MUST ensure passwords used as authentication credentials for accounts on Network Equipment or Workstations have a minimum of eight (8) characters.
+* be limited to personnel based on the Principle of Least Privilege; and
+* comply with section 2.2.1.2.
 
 ##### 2.2.6
 
