<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1788310591;
mso-list-template-ids:-1083676212;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head><body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Ben,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As the rapporteur for the new revised V8 version of the Critical Security Controls at ETSI TC CYBER as well as CIS’ representative, might I suggest that if the new working group gets underway that it consider developing a profile of the
Controls what would be applicable within the scope of the new work. I have attached the latest version set for adoption in two weeks. There are multiple considerable advantages to using the Controls that includes extensive global adoption and use by multiple
communities and nations, cross mapping to almost all other control schemes, inclusion into an array of automation tools, and instantiation into all cloud OS platforms. It also has a very active user/developer community. See
<a href="https://www.cisecurity.org/controls/">CIS Critical Security Controls (cisecurity.org)</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best,<br>
tony<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Public <public-bounces@cabforum.org> <b>On Behalf Of
</b>Ben Wilson via Public<br>
<b>Sent:</b> Thursday, 28 October, 2021 12:35 PM<br>
<b>To:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Subject:</b> [External] [cabfpub] Draft Working Group Charter for Network Security WG<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">All,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Here is a draft charter for a Network Security Working Group. Please provide your comments, and then we will finalize this work in the form of a Forum Ballot and Server Certificate WG Ballot.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Ben<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in" id="gmail-docs-internal-guid-8dd19628-7fff-46c9-4209-a1a5e4e3a650">
<b><span style="font-size:18.0pt;font-family:"Times New Roman",serif;color:black">Overview</span></b><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">In January 2013 the CA/Browser Forum’s “Network and Certificate System Security Requirements” (NCSSRs) became effective. In June 2017, the Forum chartered a Network Security Working
Group to re-visit the NCSSRs. That charter expired on June 19, 2018, and in October 2018, the Server Certificate Working Group (SCWG) established a Network Security Subcommittee (NetSec Subcommittee) to continue work on the NCSSRs.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">This ballot proposes to charter a new Network Security Working Group (NetSec WG) to replace the NetSec Subcommittee, to continue work on the NCSSRs, and to conduct any and all business
related to improving the security of Certification Authorities. </span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">Following the passage of this/these ballot(s):</span><o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li style="color:black;margin-top:12.0pt;margin-bottom:0in;mso-list:l0 level1 lfo1;vertical-align:baseline">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif">A new NetSec WG will be chartered under the CA/B Forum, pursuant to section 5.3.1 of the Bylaws;</span><span style="font-family:"Arial",sans-serif"><o:p></o:p></span></li><li style="color:black;margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo1;vertical-align:baseline">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif">The SCWG’s existing NetSec Subcommittee will be dissolved by the SCWG and the Charter of the SCWG will be amended to note that work on the NCSSRs are within the authorized scope of the NetSec
WG; </span><span style="font-family:"Arial",sans-serif"><o:p></o:p></span></li><li style="color:black;margin-top:0in;margin-bottom:0in;mso-list:l0 level1 lfo1;vertical-align:baseline">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif">The existing mailing list and other materials developed for the NetSec Subcommittee will be repurposed for use by the NetSec WG; and</span><span style="font-family:"Arial",sans-serif"><o:p></o:p></span></li><li style="color:black;margin-top:0in;margin-bottom:12.0pt;mso-list:l0 level1 lfo1;vertical-align:baseline">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif">The Forum will develop a procedure to coordinate the NetSec WG’s adoption of security-related recommendations for requirements or guidelines that are within the purview of the other Forum WGs
(the BRs/EVGs by the SCWG, Baseline Requirements for Code Signing Certificates of the CSCWG, etc.). <o:p></o:p></span></li></ol>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:18.0pt;font-family:"Times New Roman",serif;color:black">NetSec WG Charter</span></b><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">A chartered Working Group (“NetSec WG”) is created to perform the activities as specified in this Charter, subject to the terms and conditions of the CA/Browser Forum Bylaws (<a href="https://cabforum.org/bylaws/">https://cabforum.org/bylaws/</a>)
and Intellectual Property Rights (IPR) Policy (<a href="https://cabforum.org/ipr-policy">https://cabforum.org/ipr-policy/</a>), as such documents may change from time to time. This charter for the NetSec WG has
been created according to CAB Forum Bylaw 5.3.1. In the event of a conflict between this Charter and any provision in either the Bylaws or the IPR Policy, the provision in the Bylaws or IPR Policy shall take precedence. The definitions found in the Forum’s
Bylaws shall apply to capitalized terms in this Charter.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">1. Scope</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> - The scope of work performed by the NetSec WG includes:</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">1. To modify and maintain the existing Network and Certificate System Security Requirements (NCSSRs), or a successor requirements document;</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">2. To make recommendations for improvements to security controls in the requirements or guidelines adopted by other Forum WGs (e.g. see sections 5 and 6 of the Baseline Requirements);</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">3. To create new requirements, guidelines, and best practices related to the security of CA operations;</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">4. To perform risk analyses, security analyses, and other types of reviews of threats and vulnerabilities applicable to CA operations involved in the issuance and maintenance of
publicly trusted certificates (e.g. server certificates, code signing certificates, SMIME certificates, etc.); and</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">5. To perform other activities ancillary to the primary activities listed above.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">2. Out of Scope</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> – The NetSec WG shall not adopt requirements, Guidelines, or Maintenance
Guidelines concerning certificate profiles, validation processes, certificate issuance, certificate revocation, or subscriber obligations.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">3. End Date</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> – The NetSec WG shall continue until it is dissolved by a vote of the CA/B
Forum.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">4. Deliverables</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> - The NetSec WG shall be responsible for delivering and maintaining the
NCSSRs and any other documents the group may choose to develop and maintain.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">5. Participation and Membership</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> – Membership in the NetSec WG shall be limited to Certificate
Issuer Members and Certificate Consumer Members of the Server Certificate Working Group, the Code Signing Certificate Working Group, or the SMIME Certificate Working Group.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">In accordance with the IPR Policy, Members that choose to participate in the NetSec WG MUST declare their participation and shall do so prior to participating. A Member must declare
its participation in the NetSec WG by requesting to be added to the mailing list. The Chair of the NetSec WG shall establish a list for declarations of participation and manage it in accordance with the Bylaws, the IPR Policy, and the IPR Agreement.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">The NetSec WG shall include Interested Parties and Associate Members as defined in the Bylaws.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">Resignation from the NetSec WG does not prevent a participant from potentially having continuing obligations under the Forum’s IPR Policy or any other document.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">6. Voting Structure</span></b><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">The NetSec WG shall consist of two classes of voting members, Certificate Issuers and Certificate Consumers. In order for a ballot to be adopted by the NetSec WG, two-thirds or more
of the votes cast by the Certificate Issuers must be in favor of the ballot and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted.
Quorum is the average number of Member organizations (cumulative, regardless of Class) that have participated in the previous three NetSec WG Meetings or Teleconferences (not counting subcommittee meetings thereof). For transition purposes, if three meetings
have not yet occurred, then quorum is ten (10).</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">7. Leadership</span></b><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">Chair</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> – Clint Wilson shall be the initial Chair of the NetSec WG.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">Vice-Chair</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> - David Kluge shall be the initial Vice-Chair of the NetSec WG.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">Term.</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> The Chair and Vice-Chair will serve until October 31, 2022, or until they are
replaced, resign, or are otherwise disqualified. Thereafter, elections shall be held for chair and vice chair every two years in coordination with the Forum’s election process and in conjunction with its election cycle. Voting shall occur in accordance with
Bylaw 4.1(c). In the event of a midterm vacancy, the NetSec WG will hold a special election and the selected candidate will serve the remainder of the existing term.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">8. Communication</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> - NetSec WG communications and documents shall be posted on mailing-lists
where the mail-archives are publicly accessible, and the NetSec WG shall publish minutes of its meetings to the Forum’s website.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">9. IPR Policy</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> - The CA/Browser Forum Intellectual Rights Policy, v. 1.3 or later, shall
apply to all Working Group activity.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">10.</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">
<b>Other Organizational Matters</b></span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">Reserved.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black">Effect of Forum Bylaws Amendment on Working Group</span></b><span style="font-size:12.0pt;font-family:"Times New Roman",serif;color:black"> - In the event that Forum Bylaws are
amended to add or modify general rules governing Forum Working Groups and how they operate, such provisions of the Bylaws take precedence over this charter.</span><o:p></o:p></p>
<p style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
..... <o:p></o:p></p>
</div>
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
<br><br>. . . . .</body></html>