clintwilson
commented
7 months ago A more common (and likely better) separation between systems would be those systems used to perform signing operations (Signing Systems) and those systems used to perform validation, verification, and registration authority-like processes (RA Systems). There may still be gaps that need to be filled with regards to what systems are used by CAs for in-scope activities, but we should also be mindful of whether the granularity that a defined term provides is necessary to craft the requirements which the systems encompassed by the defined term need to comply with -- that is, if we can create useful, implementable requirements without defining terms which describe the myriad systems and relationships within a CA's infrastructure, maybe we should.
There is a need to further build and clarify the definitions of 'Certificate Management System' and 'Certificate Systems'. There are several instances in BR and NSRs which can be replaced with these defined terms once their definitions are refined. For instance: 5.4.1 requires CAs log "Successful and unsuccessful PKI system access attempts;" however the specific expectations of this requirement are not entirely clear as "PKI system" is not a defined term while seemingly similar/overlapping terms are defined (e.g. Certificate Management System, Certificate Systems, etc.). We should update this requirement to use a defined term.