<div dir="ltr"><div dir="ltr"><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">Hello Everyone,</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:16px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">Here are the draft minutes of the meeting held on Tuesday, Sept-14-2021.</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><br></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">Thanks,</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">Prachi</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><br></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">-------------------------------------------------------------------------------------------------------------</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><br></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><b>Attendees</b>:</p>
<ul class="gmail-ul1">
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Ben Wilson (Mozilla)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Clint Wilson (Apple)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Corey Bonnell (DigiCert)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Daniel Jeffery (Fastly)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>David Kluge (Google Trust Services)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Dustin Hollenback (Microsoft)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Janet Hines (SecureTrust)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Niko Carpenter (SecureTrust)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Prachi Jain (Fastly)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Quan Nham (Fastly)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Tim Crawford (BDO)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Trevoli Ponds-White (Amazon Trust Services)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Tyler Myers (GoDaddy)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Gabriel Petcu (CertSign)</li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Jose Guzman(GoDaddy)</li>
</ul>
<p class="gmail-p3" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:15px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><b>Anti-trust statement</b></p>
<ul class="gmail-ul1">
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Clint Wilson (Apple) read the anti-trust statement</li></ul>
<p class="gmail-p3" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:15px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><b>Minute Taker</b></p>
<ul class="gmail-ul1">
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>Prachi Jain (Fastly)</li>
</ul>
<p class="gmail-p3" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:15px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><b>Approve Previous Minutes</b></p>
<ul class="gmail-ul1">
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-s1" style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:9px;line-height:normal;font-family:Menlo"></span>2021-Aug-31 minutes approved</li></ul>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:16px"><b></b><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><b>Doodle Poll Discussion</b></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:16px"><b></b><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">Clint Wilson (Apple) mentioned that as per the doodle results, the existing time is best suited to everyone. 8 out of 11 responses are in favor of the same timings. Decision was taken to keep the meeting as is-18:00 UTC on Tuesdays.<span class="gmail-Apple-converted-space"> </span></p>
<p class="gmail-p3" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:15px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><b>Discussion Regarding Inflight Ballots</b></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:16px"><b></b><br></p>
<ol class="gmail-ol1">
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><u><b><a href="https://github.com/cabforum/servercert/commit/63d2d1eef357fa139eb1da96a46347db9f353148">Ballot SC34 (not requiring manual review of inactive user accounts)</a></b></u> – Trevoli Ponds-White (Amazon Trust Services)  mentioned that she has emailed Tobias about the same. No further updates.<br><br></li><li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><b><u><a href="https://github.com/cabforum/servercert/compare/main...clintwilson:SCXX---Audit-Logs-and-Records-Archives">Ballot SCXX - Audit Log and Archive Retention</a></u></b>-<span class="gmail-Apple-converted-space"> </span>Clint Wilson (Apple) mentioned that he has updated the document making it current to the versions 1.8 of the BRs. Major difference is a definition added to section 1.6. It was also mentioned that the document is now ready to be taken to SCWG and get a ballot number as well as sponsors. Ben Wilson(Mozilla) said that there is a need to ensure that everytime we add a definition to Network Security Requirements, that the same word is not defined in Baseline Requirements in order to avoid a conflict. Clint agreed to Ben's comment and also said that no conflicts were found in this case. He further showed and discussed the document. Trevoli Ponds-White (Amazon Trust Services)  asked for some clarification around 5.4.1 where it says that the <i>'CA and each Delegated Third Party SHALL record <span class="gmail-x gmail-x-first gmail-x-last" style="box-sizing:border-box;border-radius:0.2em;color:rgb(36,41,47);font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;font-size:12px;white-space:pre-wrap">events related to </span><span style="color:rgb(36,41,47);font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;font-size:12px;white-space:pre-wrap;background-color:rgb(230,255,236)">the</span></i><span class="gmail-x gmail-x-first gmail-x-last" style="box-sizing:border-box;border-radius:0.2em;color:rgb(36,41,47);font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,"Liberation Mono",monospace;font-size:12px;white-space:pre-wrap"><i> security of their Certificate Systems,...'</i>. </span>Daniel Jeffery (Fastly) agreed that it is unclear. Decision was made to change the language to ensure that it reads that '<i>CA and Delegated Third Party shall record their events...</i>'. Ben Wilson(Mozilla) commented about some of the words like 'Certificate Systems', 'Certificate Management Systems', 'Root CA Systems' etc in 5.5.1, as a process within the network security subcommittee, we might end up defining some of these words because there has always been discussion around what they actually mean. Clint Wilson (Apple) mentioned that we have added pointers to the definition from NSRs in these sections to avoid that ambiguity. Trevoli Ponds-White (Amazon Trust Services) will endorse this ballot. It still needs one more endorser. David Kluge(Google) asked regarding section 5.1.1, if there is an intention to differentiate between archiving, retaining and storing, or whether they are all the same since they can be misunderstood. Clint clarified that it's fine to have two copies of the records, one in audit log storage and another one in the archive, as long as they are being stored for 2 years after the event occured. They are really speaking to the same thing. He also added that archive logs go a little bit further since they not only include audit logs but also things like validation activity etc. Trevoli added that usage of word archives is benign.<br><br></li><li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><a href="https://github.com/cabforum/servercert/compare/main...clintwilson:ctw-2_add-persistent-ca-services"><b>Ballot SCXX - Remove BR 4.1.1 (Database for Suspicious Certificate Requests)</b>:</a> No major updates. Going to move forward to SCWG to get a ballot number. Ben Wilson(Mozilla) pointed out in 6.1.1.3 that '<i>Forbidden, Weak, or Compromised Keys</i>' are not defined terms in BRs but are capitalized. Clint will verify and make the updates.<br><br></li>
<li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:"Helvetica Neue""><b style="font-size:13px"><a href="https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit">Ballot SC32 - Remove Zones</a>-</b> Ben discussed the red lined version of security requirements(<a href="https://docs.google.com/document/d/1c4_4axIV34pXWsb0BBjGaI7NLJ-PQcq1/edit" style="font-size:13px">link</a>). Trevoli asked if everyone is aware of the reason why we want to remove zones concept. Daniel Jeffery (Fastly) said that it's an attempt to take out the language which does not have clear meaning and clarify the requirements better. Trevoli said that we were using zones interchangeably for physical and logical spaces. A thorough discussion was done around Ryan Sleevi's comments on this ballot (<a href="https://lists.cabforum.org/pipermail/servercert-wg/2020-June/002033.html" style="font-size:13px">link</a>). Ben and Trevoli discussed 1.e around having boundaries between Certificate System and non-certificate systems. It was mentioned that it is not clear if there is an expectation that the certificate system has to be in a physically different location than non-certificate systems and what constitutes  physically different.  David Kluge (Google) agreed and said that the challenge with zones concept has always been it ties the hosting requirements to the business purpose and not to the actual security. Ben further talked about 1.e and said maybe we should think about starting from scratch and writing a version 2.0 for network security requirements. David agreed but also added that it's important to have a discussion if Ryan Sleevi feels that zones are central to CA infrastructure security. He also added that no real risk has been brought up during the past discussions.Trevoli agreed. Daniel chimed in and said that this goes back to the past conversations the netsec group have had around using an existing regulatory framework plus building a PKI specific overlay on it instead of reinventing the wheel.  Trevor said that 1.e of network security requirements is read as logical separation vs physical separation. Clint added his perspective where he read it as either physical or logical. Daniel added that he has implemented it in the past as a combination of the two. Further discussions were done around 1.e on how the language can be changed. David brought back the point that we need to know if there is a substantiated concern with this ballot. Trev suggested that we should go back to SCWG and ask for specific concerns on 1.e.  Daniel said that he feels strongly that we should move away from defining these requirements at all and everyone agreed to some extent. Further Trev mentioned that the pain points group led by David made some substantial improvements. <br><i><b>Action Item:</b> Ben will send an email to SCWG to get this ballot out in discussion again with the modified language.<br><b><br></b></i></li><li class="gmail-li1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:"Helvetica Neue""><a href="https://docs.google.com/document/d/1cnb1JNuckOjo5UbQdWVtU5t-PpS2HLt7/edit" style="font-size:13px"><b>Ballot SC40 - Air-Gapped / Offline CAs</b></a><span style="font-family:Arial,Helvetica,sans-serif"> : Ben Wilson (Mozilla) said that we may want to look into the past versions of network security requirements to find out if anything has changed with the principle behind air gapped CA systems. He also added the definition of 'Principle of least privilege' as per suggestion from Microsoft. There was some discussion if it would make more sense to send the air-gapped ballot before the </span>zones<span style="font-family:Arial,Helvetica,sans-serif"> ballot. </span></li></ol><div><br></div><div><b>Closing thoughts:</b></div><div>1. Since we couldn't get to the entire agenda in this meeting, we will start with Github work in the next meeting. </div><div>2. We will continue the Cloud Security sub-group meeting.</div><div>2. Daniel <span style="font-family:"Helvetica Neue";font-size:13px">Jeffery (Fastly) </span>would like to take some time in the next Cloud Security sub-group meeting to share his thoughts around the strategy. </div><div><br></div><div><br></div><div><br></div><div>_______________________________________________<br>Netsec mailing list<br><a href="mailto:Netsec@cabforum.org" target="_blank">Netsec@cabforum.org</a><br><a href="https://lists.cabforum.org/mailman/listinfo/netsec" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/netsec</a></div><div><br></div><div><br></div></div></div>