Prelude

This is a risk assessment based on AS/NZS 4360:2004. This is work in progress and not endorsed by CAcert board.

Context

This risk assessment applies to the CAcert operation as a certificate authority. A lot of the governance obligations of the operation as a certificate authority tie to the operation of CAcertIncorporated Association and these aspects are incorporated into this risk assessment.

Risks that are to be managed are ones that affect the viability of the CAcerts certificate authority function.

Q(iang): organistion is what? There is the CAcert Inc Association, the certificate authority, the Assurer network, sundry others and finally, the Community. If organisation as a whole, perhaps the Community, but also the CA ...

(dan) scoped to CA and to some extend addressed the governance/ community dependencies

External Context

CAcert is a community organisation that is in the business of validating identities and provides a certificate/X509 service based on this. It operates globally. Like all certification authorities (CAs) risk are ones of proper process and technology that support a high validation of identities to the owners of certificates. Reputation is highly important to CAcert.

CAcerts certificate authority obligations are dependant on the community of assurers and the Community Agreement sets a standard of mutual obligation that CAcert is determined to uphold. Unlike most CAs the split between assurance and certificate issuance creates a large obligation to serve the assurance community.

Key business goals are to gain InclusionStatus into major browsers. The Mozilla organisation has required the completion of an Audit Project to forfill its inclusion status and as such this is the major goal.

The Audit project is funded by NLnet and is under obligation to deliver outcomes at specified dates.

Internal Context

The board and management subcommittee (M-SC) are volunteers committed to these goals of the organisation. Their time however is limited. CAcert is an incorporated organisation in NSW Australia that is managed by the board. The board has deligated CEO like duties to the M-SC.

CAcert's assets include ownership of servers that provide various online functions necessary for the performance of a CA. Audit and documentation services have been contracted out as have hosting, firewall management.

CAcert's financial assets are largely funded activities dependent on delivering outcomes.

Internal goals are to enhance the system administration to a supportable level.

Risk Measurement

Risks rated above Medium will be managed. Medium risks will be managed if time/cost permits. The below consequence/likelyhood factors determine risk.

Consequence Ratings

These describe the harms that occur if the threat is realized.

(really these should be determined and signed off by management)

Q(iang): there is an interesting comment in the choice of catastrophic and major risks, which places the survival of the organisation above the CA and reliance by (explicit and implicit) parties. I do not disagree, but it is certainly a debate to be had. The choice above to some extent reflects the "wider mission" of security rather than the "narrow mission" of "free certs".

(dan): To my understanding to meet the "wider mission of security" a governance structure is required to obtain the necessary credability that is pretty mandated in the security community.

Q(iang): the recent debate over DoB was based on the threat of identity theft. recent USA-credit-market developments indicate that a large scale identity theft has rocketed from a minor risk (if covered up) to a major risk (as regulators get involved, fines are likely, wholescale revision of security is indicated, etc).

(dan) this almost leads to a risk assessment based on PR and legal risk (which is almost is anyway). I'm not sure that is such a bad thing either.

Likelihood Ratings

Risk Matrix

Risks are:

Assets

Assets here are annotated with the consequence rating should the asset no longer be available.

Intangible Assets

Systems

Different assets are critical for different reasons. The below indicates which security aspect of the asset has consequences.

Critical Systems

Non-critical systems

TODO find/determine the purpose of audit

Other Assets

Threats

Once inclusion into Mozilla browsers the threat profile is raised significantly. As the ability to respond to this threat is timely, this risk assessment assumes inclusion status has been obtained.

Q(iang): the above seem to be the actors, whereas the threats might be: hacking, legal (filed case, legal seizure, privacy investigation, investigation by other regulator, etc); outside theft, loss, destruction, backups unreadable; leakage of data, sharing of data, misuse of resources, ... hmm seems like another matrix. Actor / act / summary effect ?

A(dan) I'm tempted to address these in the RA table below.

Risk Assessment

Systems

Risk IDs are a concatination of the system, the security risk (Confidentiality/ Integrity / Availability) plus a unique identifier.

Mozilla Criteria

These are based of the Mozilla CA Certificate Policy (1.2). The numbers reflect the requirement in http://www.mozilla.org/projects/security/certs/policy/.

References

Footnotes


  1. The root key must be available at least once per week, otherwise CRL's and OCSP are unavailable. (1)

  2. Mozilla Policy specifies availability of these services http://www.mozilla.org/projects/security/certs/policy/ (2)

  3. If it doesn't work, then Thunderbird and Firefox stops working for all servers with CAcert certificates. (3)

  4. consequence directly tied to the ability to support OCSP/CRL (4)

  5. Greater that 24 would cause a PR issue (5 6)

  6. Loss of site ssl key - assumes no access to User database listed above (7)

  7. based on typical email retry times. applicable to support/management/arbitration email services (8)

  8. as test systems are migrated into production this is a potential code compromise point (9)

RiskAssessment (last edited 2016-03-28 09:54:16 by AlesKastner)