@@ -374,11 +374,13 @@ If the certificate generation service in the production system uses a secure cry
NOTE 2: Security requirements for secure cryptographic devices are out of scope of the present document.
#### 4.2.4.2 Physical security
An enterprise server room or data centre will have some physical access controls.
A cloud service provider will have strong physical security measures in place, but the servers hosting the PKI software will not be physically separated from other infrastructure.
#### 4.2.4.3 Network security
The enterprise will implement security controls such as firewalls on the edge of their network.
The enterprise will implement internal network access controls that limit access to systems hosting the PKI software to authorised users.
@@ -475,7 +477,7 @@ Table 4.4 provides a list of assets for a PKI product that supports disseminatio
| DIS12: Certificate store look-up function | Used to handle requests for certificates from relying parties |
| DIS21: Dissemination user interface | E.g., remotely accessible web portal |
@@ -543,6 +545,7 @@ Table 4.5 provides a list of assets for a PKI product that supports certificate
| T_SYS16: Accessing system administration functions via an unprotected <br> local administration interface | SYS22 | Authentication |
<strong>Table 4.6.</strong> System administration threats
</div>
#### 4.2.7.2 Registration service
@@ -584,15 +587,15 @@ If the PKI product does not provide support for subscriber management as part of
| T_GEN08: Accessing signing operations via an unprotected certificate <br> generation function | GEN12 | Authorisation |
| T_GEN09: Accessing certificate generation functions via an unprotected <br> certificate generation user interface | GEN21 | Authentication |
| T_GEN10: Denying system operator access via an unprotected certificate <br> generation user interface | GEN21 | Availability |
| T_GEN11: Modifying information transferred between the product and a secure <br>cryptographic device via an unprotected secure cryptographic device API | GEN22 | Integrity |
| T_GEN12: Disclosing sensitive information transferred between the product and <br>a secure cryptographic device via an unprotected secure cryptographic device API | GEN22 | Confidentiality |
| T_GEN13: Disrupting the operation of the secure cryptographic device by requests <br>from the product over the secure cryographic device API | GEN22 | Impact |
| T_GEN11: Modifying information transferred between the product and a <br>secure cryptographic device via an unprotected secure cryptographic <br>device API | GEN22 | Integrity |
| T_GEN12: Disclosing sensitive information transferred between the <br>product and a secure cryptographic device via an unprotected secure <br>cryptographic device API | GEN22 | Confidentiality |
| T_GEN13: Disrupting the operation of a secure cryptographic device via <br> requests from the product over the secure cryographic device API | GEN22 | Impact |
NOTE 1: Accessing the functionality of the secure cryptographic device via an API that does not provide authentication or authorisation is a threat to the secure cryptoraphic device, not to the cyber security of the PKI product.
NOTE 1: Accessing the functionality of the secure cryptographic device via an API that does not provide authentication or authorisation is a threat to the secure cryptographic device, not to the cyber security of the PKI product.
NOTE 2: Denying access to the secure cryptographic device via an API that does not provide availability is a threat to the secure cryptographic device, not to the cyber security of the PKI product. However, if the operation of the secure cryptographic device is impacted by, for example, the number of signing requests from the PKI product then this is relevant to the cyber security of the PKI product as it violates the principle of minimising the impact of the product on other devices and networks (T_GEN13).
@@ -600,6 +603,63 @@ If the PKI product does not support the use of a secure cryptographic device, th
If the product does not support subject key generation or key recovery, the threats to the subject key data (T_GEN04, T_GEN05 and T_GEN06) will not be present and the threat to the key management function (T_GEN07) will only cover the CA key data.
#### 4.2.7.4 Dissemination service
<divalign="center">
| Threat | Asset | Property |
| --- | :---: | :---: |
| T_DIS01: Modifying certificates in unprotected certificate store data | DIS01 | Integrity |
| T_DIS02: Accessing certificate store data via an unprotected certificate <br> store management function | DIS11 | Authorisation |
| T_DIS03: Accessing disseminiation service functions via an unprotected <br> dissemination user interface | DIS21 | Authentication |
| T_DIS04: Denying system operator access to via an unprotected dissemination <br> user interface | DIS21 | Availability |
| T_DIS05: Modifying certificates transferred via an unprotected subscriber <br> dissemination interface | DIS22 | Integrity |
| T_DIS06: Disclosing subject private keys transferred via an unprotected <br> subscriber dissemination interface | DIS22 | Confidentiality |
| T_DIS07: Modifying certificate look-up repsonses via an unprotected relying <br> party look-up interface | DIS23 | Integrity |
| T_DIS08: Denying relying party access to an unprotected relying party <br> look-up interface | DIS23 | Availability |
<strong>Table 4.9.</strong> Dissemination threats
</div>
If the PKI product does not support dissemination services and provides a logical interface to a third-party directory service, then the the threats to the subscriber dissemination interface (T_DIS05 and T_DIS06) apply to the directory service interface instead.
#### 4.2.7.5 Revocation management service
<divalign="center">
| Threat | Asset | Property |
| --- | :---: | :---: |
| T_REV01: Modifying information in an unprotected revocation request | REV01 | Integrity |
| T_REV02: Disclosing sensitive information in an unprotected revocation <br> request | REV01 | Confidentiality |
| T_REV03: Approving or denying revocation requests via an unprotected <br> revocation management function | REV11 | Authorisation |
| T_REV04: Modifying information transferred via an unprotected revocation <br> management user interface | REV21 | Integrity |
| T_REV05: Disclosing sensitive information transferred via an uprotected <br> revocation management user interface | REV21 | Confidentiality |
| T_REV06: Accessing revocation management functions via an unprotected <br> revocation management user interface | REV21 | Authentication |
| T_REV07: Denying system operator access to an unprotected revocation <br> management user interface | REV21 | Availability |
The PKI product can support limited revocation management services even if it does not support a certificate status service. In such cases, the threats to the revocation management function (T_REV03) and user interface (T_REV04, T_REV05, T_REV06 and T_REV07) apply to the corresponding certificate generation function and user interface.
#### 4.2.7.6 Certificate status service
<divalign="center">
| Threat | Asset | Property |
| --- | :---: | :---: |
| T_STA01: Modifying a certificate revocation status in unprotected certificate <br> status data | STA01 | Integrity, <br> Non-repudiation |
| T_STA02: Accessing certificate revocation status via an unprotected certificate <br> status management function | STA11 | Authorisation |
| T_STA03: Accessing certificate status functions via an unprotected certificate <br> status user interface | STA21 | Authentication |
| T_STA04: Denying system operator access to an unproteted certificate status user <br> interface | STA21 | Availability |
| T_STA05: Modifying a certificate revocation status transferred via an unprotected <br> relying party certificate status interface | STA22 | Integrity, <br> Non-repudiation |
| T_STA06: Denyin relying party access to an unprotected relying party certificate <br> status interface | STA22 | Availability |
<strong>Table 4.11.</strong> Certificate status threats
