On 4/07/11 11:12 AM, Dean Pemberton wrote:

I'll get some time over the next few days to comment in more details.

Phew - finally got a few spare secs. It really looks a lot better. Here are a few sections where I think we could still improve this a bit. 4.1. Site Controls I'm really happy with the level of detail which has been added to this section. I think it outlines what physical security measures NZRS are proposing. The content is almost there in my opinion as well. The only outstanding issue is around access by non trusted personnel. At the Auckland and Wellington locations, the NZRS rack seems to be located in an area shared with other Co-Location clients. As such there is an increased risk that someone who is allowed access to the co-lo but not allowed access to NZRS equipment under this DPS might be able to gain access. It would seem that the only tier of security under *SOLE* NZRS control here is the lock on the front of the rack. Could I suggest the following additions. . State that the keys for the racks are custom cut and not the default for the rack provider. . State that the keys are under active control and signed out from an NZRS controlled when required . Consider adding a rack based alarm system under sole NZRS control. While it would be good, I don't believe this needs to be centrally monitored. A starting point would be one which would alert co-lo security that someone had opened the rack without authorisation. 4.3.1. Trusted roles Good addition to the roles here. How many of these roles are appointed at any one time? eg There are two SAs, 6 KSOs, 6 DSOs and 1IWs at any one time. Of these the following numbers must be present...blah "None of the operations previously described may be carried out in the presence of unauthorized people." I believe that you might want to have a capability to have moderated domain owners present at a key ceremony. In an observation capacity for eg. 4.4.2. Background check procedures "The NZRS security policy requires all new employees to be subject to pre-employment vetting includes reviewing of:" Thats a much better list than previous. It details what checks you will perform, but not what the outcome has to be. Is a conviction for unauthorised access to a computer system ok as long as it was over 5 years ago? Or are no convictions ok at all? How about the addition of something like (I've pulled these from places like other DPS statements or licensing requirements for security guards etc): NZRS will not consider persons for a position as a trusted individual if they have been: * convicted of a crime involving dishonesty or breach of trust. * convicted of a crime involving unauthorised access to a computer system. * disqualified from driving in the last 5 years. * identified to have a of a lack of financial responsibility * declared bankrupt. * identified to have a gambling or substance addiction. "Outsourced partners, contractors and sub-contractors are required to: Undertake pre-employment checks for new employees" This worries me a bit if NZRS is outsourcing the decision making around its personnel security to an outsourced partner. I'd be much happier here if NZRS didn't outsource any of the SA, KSO, DSO posisions outside of its direct employees. If they have to, then there should be a contracted responsibility for NZRS to perform the same background checks they would if they were employing the person. These should not be subcontracted to the outsourced partner. 4.4.4. Contracting personnel requirements "No person outside the Trusted Roles specified in Section 4.3.1 http://nzrs.net.nz/dns/dnssec/dps#DNSSECPracticeStatement-trustedroles can get access to the signer or signing material such as backups." Something that Michael Newbery picked up on earler. What ensure that this is the case? How about... "NZRS takes all care to ensure that no person outside the Trusted Roles specified in Section 4.3.1 http://nzrs.net.nz/dns/dnssec/dps#DNSSECPracticeStatement-trustedroles can get access to the signer or signing material such as backups. This is ensured through the following measures: * blah * blah * blah" So rather than just stating that it will never happen, show us how you'll ensure that it doesn't. 5.1.2. Public key distribution There are some uses of "SO" here. These should probably be changed to KSO. 5.2.2. Private key (m-of-n) multi-person control "During the HSM activation, all Keystore Security Officers and Device Security Officers needs to be present to be enrolled as such and activate the HSM. One System Administrator is required to get physical access. Multi-person control will be applied during the creation of a key backup and restoration." Three questions here: How many KSO and DSO officers are there? And once we know the N, whats the M? Are you using some form of hardware tokens to initialise or control access to the HSM? Or is it passcode only?

On 11/07/2011 10:07 a.m., Richard Hector wrote:

On 10/07/11 18:58, Dean Pemberton wrote:

...

NZRS will not consider persons for a position as a trusted individual if they have been: * identified to have a gambling or substance addiction. That's me out, along with anyone else addicted to caffeine (or nicotine). How many qualified people left?

Surely the entire NZNOG mailing list are certified Intarweb addicts as well? -- Juha Saarinen AMNZCS Twitter: juhasaarinen

On Mon, Jul 11, 2011 at 10:39 AM, Tristram Cheer wrote:

If this document is to be trusted it must be adhered to in it's strictest sense which does rule out those smokers and coffee addict's, If the people who implement the document in day to day operations make exceptions like one for coffee/smokers then it does question what other exceptions are being made.

And as soon as we start heading down this path I think we are going in to dangerous grounds as we are starting to dictate exactly what is acceptable and what is not. Is someone who drinks 10 beers each week fine? How about someone who has 30 a week? Or me who plays poker every week? If someone dables in recreational drugs are they completely out? Maybe we need to more look at what we're trying to prevent here, and then create rules that attempt to enforce that. For example.. Steps are taken to ensure that trusted people: -Do not have an addiction to a proven dangerous substance -Are generally in a state that allows them to perform their duties -Are not an easy target for black-mail or bribery due to life-style choices or past history Thoughts? Dave

Valid points, Surely DNSSEC is critical infrastructure and some of the security aspects should be handed off to one of the NZ men-in-black dept's? On 11 July 2011 12:06, Mark Foster wrote:

If we've otherwise established that there are character checks in place, does a line this specific in nature need to be included at all?

We risk going down a slippery slope of being over-specific and not actually gaining anything from doing so.

Not all 'addictions' are likely to compromise the individuals ability to be both functional and trustworthy.

Surely there's a Government Department or NGO who can suggest some suitable wording for this, we all understand the intent, but shooting one's self in the foot is not necessarily productive....?

Mark.

-----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Dave Mill Sent: Monday, 11 July 2011 11:19 a.m. To: Tristram Cheer Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] DNSSEC Practice Statement for .nz, version 1.1

On Mon, Jul 11, 2011 at 10:39 AM, Tristram Cheer wrote:

...

If this document is to be trusted it must be adhered to in it's strictest sense which does rule out those smokers and coffee addict's, If the people who implement the document in day to day operations make exceptions like one for coffee/smokers then it does question what other exceptions are being made.

And as soon as we start heading down this path I think we are going in to dangerous grounds as we are starting to dictate exactly what is acceptable and what is not.

Is someone who drinks 10 beers each week fine? How about someone who has 30 a week? Or me who plays poker every week? If someone dables in recreational drugs are they completely out?

Maybe we need to more look at what we're trying to prevent here, and then create rules that attempt to enforce that.

For example..

Steps are taken to ensure that trusted people: -Do not have an addiction to a proven dangerous substance -Are generally in a state that allows them to perform their duties -Are not an easy target for black-mail or bribery due to life-style choices or past history

Thoughts?

Dave _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog