[cabf_netsec] Draft notes of meeting today 10-August-2017
Ben Wilson
ben.wilson at digicert.com
Thu Aug 10 15:51:38 MST 2017
In Attendance: Ben Wilson, Travis Graham, Xiu Lei, Jeff Stapleton, Kirk
Hall, Dean Coclin, Robin Alden, Wayne Thayer, Curt Spann, David King,
Dimitris Zacharopoulos, Tim Hollebeek, Steve Hillier, Neil Dunbar, Tobi
Josefowitz, Chris Salter, Peter Bowen, and Jeff Ward
Dimitris has made minor changes to the quick-fix version of the Network and
Certificate Systems Security Requirements on GitHub and published a redlined
version, but the redline version exported from GitHub to PDF does not
highlight additions. We'll need to come up with a long-term solution for
that. It is an issue to bring before the entire Forum. Ben will propose a
pre-ballot to the public list and include a redlined PDF.
Kirk asked whether we had considered his email dated 2-Aug-2017 in which he
relayed a request of Pat Milot of Entrust to revise the definition of "Root
CA" because in an offline state, a Root CA is not an "Issuing System". Kirk
noted that you shouldn't have to bring a Root CA back online just to change
a password every 90 days. The group felt that it would be better to go
forward with the quick-fix ballot and address the issue separately. Ben
said that there was an exception for that situation. It was also noted that
definitions for "offline" and "air-gapped" would lead to greater clarity.
Jeff Ward noted that auditors do run into problems with interpretation and
he asked Ben to spot that exception. [Subsequent to the call -- the
exception is in the words "where technically feasible" in section 2.g.]
Kirk asked whether we had decided to revise the Network Security
Requirements after the quick-fix ballot, and if so whether we had a game
plan for addressing issues. It was generally agreed on the call, and
previously noted by Peter in reference to an effort/discussion with Tim
Crawford of BDO, that it would be better to improve the existing
requirements because other security standards don't quite meet our needs.
They are either too general or too specific.
Kirk suggested that it would be good to look at the definitions. Neil said
that the Requirements need to account for the way IT business is done today
and that the Requirements were written based on decades-old models. Peter
offered to head a group of several volunteers who would discuss and compile
a list of cloud and virtualization issues. Ben would create a list of other
issues to prioritize using Doodle Poll or Survey Monkey.
The remainder of time on the call was spent discussing cloud/virtualization.
Neil noted that a rogue hypervisor administrator could really create a
security mess. It was generally agreed that there needed to be logical
segregation of systems when using hypervisors so that no VMs of lesser
security (a spammer) could be next door to sensitive PKI systems. [The
conversation continued, but unfortunately the minute-keeper did not have
WebEx recording turned on.]
Meeting adjourned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170810/f0e4150a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20170810/f0e4150a/attachment.p7s>
More information about the Netsec
mailing list