NickCorcoran
commented
2 months ago Working to setup a meeting
Closed NickCorcoran closed 1 month ago
NickCorcoran
commented
2 months ago Working to setup a meeting
NickCorcoran
commented
1 month ago Had initial meeting w/ Chris and Bruce. Highlighted a need to update standards based on cloud-based services. Was clarified that original intent of standard was for data centre deployed resources.
Another meeting to take place in a few weeks.
Describe the Issue Current standards indicate that we can only obtain TLS certs through ADMS and the Entrust digital certificate service. Need to discuss updates to current standards to account for acceptable alternatives:
Additional Context https://www2.gov.bc.ca/assets/gov/government/services-for-government-and-broader-public-sector/information-technology-services/standards-files/cryptographic_standards_v17.pdf
Where an X.509 certificate is required for system authentication it MUST be obtained through Shared Services BC.
https://wiki.gccollab.ca/images/8/89/Recommendations_for_TLS_Server_Certificates.pdf
The primary guidance we use today for certificate use is the cryptographic standards document you referenced below. The only guidance in this area this standard currently provides is that SSL certificates issued to host names whose domain is managed by OCIO must be obtained via the OCIO SSL service (i.e. Entrust certificates). This seems to apply to the host name you identified below, but at the same time, this element of the crypto standards was written largely before cloud environments, and was targeted at servers within one of the BC Government data centers.
I think your plan going forward sounds reasonable. The cryto standards cover more than just the source of certificates. If you were to meet the items below, I think you would be in good shape: Use appropriate key sizes (i.e. 2048 bits or larger) Use appropriate signature algorithms (i.e. use SHA256 over SHA1) Do not exceed 12 months for certificate lifetimes. (This does NOT include root or issuing CA certificates!) Ensure that issued certificates can be revoked, and that clients are checking the revocation status. Be cautious with how you use the key usage and extended key usage (aka enhanced key usage) extensions. If you only use those you NEED, you should be in good shape. Virtually all TLS certificates should only require:
Extended key usage: Client Authentication/Server authentication. Others (such as CRL signing, Code Signing, etc) may complicate things. (But if they are required, they are required!) I also expect that certificates issued from an AWS CA would already meet the above, so shouldn’t be an issue.
Acceptance Criteria A set of pre-defined requirement that need to be met in order to mark the user story as “done”. See below for team agreement details.