From 832f46b46374fdd03f125c42154f9139711b62f7 Mon Sep 17 00:00:00 2001
From: "Bozawglanian, Hagop (hb755d)" <hagop.bozawglanian@att.com>
Date: Fri, 26 Oct 2018 22:13:03 +0000
Subject: VNFRQTS - Reword and Move Security Req SECCOM 1

Changes to reword and move security requirements after SECCOM reviews.
Includes changes for VNFRQTS-373,374,375,379,423

Issue-ID: VNFRQTS-373

Change-Id: I10182e74ecbe0e15a9dbe3536986e0be6f8f0f73
Signed-off-by: Bozawglanian, Hagop (hb755d) <hagop.bozawglanian@att.com>
---
 docs/Chapter4/Security.rst | 73 +++++++++++++++++++++++++---------------------
 1 file changed, 39 insertions(+), 34 deletions(-)

(limited to 'docs/Chapter4/Security.rst')

diff --git a/docs/Chapter4/Security.rst b/docs/Chapter4/Security.rst
index 9bba923..1757be6 100644
--- a/docs/Chapter4/Security.rst
+++ b/docs/Chapter4/Security.rst
@@ -172,14 +172,6 @@ the product’s lifecycle.
     control process with vulnerabilities disclosed along with
     mitigation recommendations.
 
-.. req::
-    :id: R-78010
-    :target: VNF
-    :keyword: MUST
-
-    The VNF **MUST** use the NCSP's IDAM API for Identification,
-    authentication and access control of customer or VNF application users.
-
 .. req::
     :id: R-62498
     :target: VNF
@@ -197,17 +189,6 @@ the product’s lifecycle.
     The VNF **MUST**, if not using the NCSP's IDAM API, comply
     with the NCSP's credential management policy.
 
-.. req::
-    :id: R-41994
-    :target: VNF
-    :keyword: MUST
-
-    The VNF **MUST**, if not using the NCSP's IDAM API, comply
-    with "No Self-Signed Certificates" policy. Self-signed certificates
-    must be used for encryption only, using specified and approved
-    encryption protocols such as TLS 1.2 or higher or equivalent security
-    protocols such as IPSec, AES.
-
 .. req::
     :id: R-80335
     :target: VNF
@@ -366,8 +347,8 @@ Identity and Access Management Requirements
     :keyword: MUST
     :updated: casablanca
 
-    The VNF **MUST**, if not integrated the Operator's Identity and Access
-    Management system, support configurable password expiration.
+    The VNF **MUST**, if not integrated with the Operator's Identity and
+    Access Management system, support configurable password expiration.
 
 .. req::
     :id: R-98391
@@ -385,18 +366,18 @@ Identity and Access Management Requirements
     :keyword: MUST
     :updated: casablanca
 
-    The VNF **MUST**, if not integrated with the Operator's Identity
-    and Access Management system, comply with "password complexity"
-    policy. When passwords are used, they shall be complex and shall at
-    least meet the following password construction requirements: (1) be a
-    minimum configurable number of characters in length, (2) include 3 of
-    the 4 following types of characters: upper-case alphabetic, lower-case
-    alphabetic, numeric, and special, (3) not be the same as the UserID
-    with which they are associated or other common strings as specified
-    by the environment, (4) not contain repeating or sequential characters
-    or numbers, (5) not to use special characters that may have command
-    functions, and (6) new passwords must not contain sequences of three
-    or more characters from the previous password.
+    The VNF **MUST**, if not integrated with the Operator’s Identity and
+    Access Management system, comply with “password complexity” policy. When
+    passwords are used, they shall be complex and shall at least meet the
+    following password construction requirements: (1) be a minimum configurable
+    number of characters in length, (2) include 3 of the 4 following types of
+    characters: upper-case alphabetic, lower-case alphabetic, numeric, and
+    special, (3) not be the same as the UserID with which they are associated
+    or other common strings as specified by the environment, (4) not contain
+    repeating or sequential characters or numbers, (5) not to use special
+    characters that may have command functions, and (6) new passwords must
+    not contain sequences of three or more characters from the previous
+    password.
 
 .. req::
     :id: R-79107
@@ -415,9 +396,19 @@ Identity and Access Management Requirements
     :keyword: MUST
     :updated: casablanca
 
-    The VNF **MUST** authenticate all access to protected GUIs, CLIs,
+    The VNF **MUST**, if not integrated with the Operator's identity and
+    access management system, authenticate all access to protected GUIs, CLIs,
     and APIs.
 
+.. req::
+    :id: R-78010
+    :target: VNF
+    :keyword: MUST
+    :updated: casablanca
+
+    The VNF **MUST** integrate with standard identity and access management
+    protocols such as LDAP, TACACS+, Windows Integrated Authentication
+    (Kerberos), SAML federation, or OAuth 2.0.
 
 VNF API Security Requirements
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -1087,3 +1078,17 @@ applicable to encryption or protocol meethods.
 
     The VNF **MUST** support HTTP/S using TLS v1.2 or higher
     with strong cryptographic ciphers.
+
+.. req::
+    :id: R-41994
+    :target: VNF
+    :keyword: MUST
+    :updated: casablanca
+
+    The VNF **MUST** support the use of X.509 certificates issued from any
+    Certificate Authority (CA) that is compliant with RFC5280, e.g., a public
+    CA such as DigiCert or Let's Encrypt, or an RFC5280  compliant Operator
+    CA.
+
+    Note: The VNF provider cannot require the use of self-signed certificates
+    in an Operator's run time environment.
-- 
cgit 1.2.3-korg