[cabf_netsec] Minutes - Meeting of 29 June 2017

Bruce Morton Bruce.Morton at entrustdatacard.com
Thu Jul 6 06:21:56 MST 2017


Below are the minutes from the Network Security Working Group meeting of 29 June 2017


  1.  Call to order - Kirk Hall, WG Chair pro tem

*        Attendees were: Ben Wilson (DigiCert), Bruce Morton (Entrust), Dimitris Zacharopoulos (HARICA), Jeff Stapleton (Wells Fargo), Jos Purvis (Cisco), Kirk Hall (Entrust), Peter Bowen (Amazon), Tim Hollebeek (Trustwave), Jonathan Sun (CFCA), Phillip Hallam-Baker (Comodo), Tia Pope (Cisco), Tom Ritter (Mozilla), Tony Rutkowoski, Xiu Lei (GDCA), Alexsei Ivanov (Leader Telecom), Chris Salter (CIS)


  1.  Call for nominees, election of Chair/Co-Chair - Kirk Hall, Chair pro tem

*        Bruce Morton volunteered to be chair


  1.  Approval of Agenda

*        Agenda was approved


  1.  Review of Network Security Working Group charter (see Ballot 203 below)

*        Charter was reviewed. It was discussed that the CAs are having challenges with implementing the Network Security requirements. However it was also stated that the CAs have already implemented the Network Security document, so replacing could be a concern. There are better ways and requirements which should be reviewed.

*        Is the Forum the right place to maintain the document? Should we use another forum?

*        The original NetSec document started with meeting at Trustwave after the DigiNotar incident. The NetSec document was based on a Symantec document and paired it down. The NetSec document also mapped in items from WebTrust and ETSI so as to not re-create the wheel.

*        Other documents show overlay or normative methods. Some documents defer and say authentication shall meet some other reference.

*        We do not want to abdicate the standards which are over the CA's.

*        Need to consider auditability issues, so we might not want to reference.

*        Do not want to conflict with WebTrust or ETSI, but point to other criteria that we already have to meet.


  1.  Discussion of possible approaches, including but not limited to:
a.      Eliminate NetSec Requirements entirely
*        Repeal and don't replace was not supported. It was stated that we need some minimum standard.
*        There was some opposition to scrapping the NetSec document.
*        Need to review PCI type requirements for vulnerability scans and pen testing.

b.      Short-term "Patch" of existing NetSec Requirements while considering long-term solution
*        It was agreed to patch the NetSec document in the short-term. This will support CAs with current implementations and upcoming audits.
*        Some items are implemented when they don't make sense, but are dome just to clear an audit.
*        Dimitris supports patch and would like to remove unnecessary pain.
*        There was concern about a short-term taking too long.
*        Ben has a spreadsheet of items which is included with the agenda email.
*        Ben and Dimitris to triage the list to determine patch items.
*        Need to address off-line roots, but might create an issue.
*        Bruce to review to see if the roots could be addressed with a definition change.

c.      Long-term rewrite of existing NetSec Requirements
*        Some items will take a long-term to correct. These would not be included in the short-term fixes and may be delayed to a re-formatting of the NetSec document

d.      Long-term rewrite of requirements using alternative model(s) as a starting point
*        Not discussed.

e.      Preferred style of new NetSec Requirements - detailed and prescriptive, or goal based but with CA discretion?
*        Not discussed.


  1.  Possible alternative models:
a.      CIS Critical Security Controls https://www.cisecurity.org/controls/
*        Criteria would be acceptable, but controls would be hard to meet. Could review controls. There is a NIST document which maps to the CSC document.
b.      Other existing models
*        ISO 21188 which is being updated
*        NIST SP 800-53
*        Some documents describe illustrative controls
*        CA protection profile, Ben to forward


  1.  Auditability considerations

*        Not thoroughly discussed.


  1.  Timelines - milestones, goals for completion

*        Not discussed


  1.  Next steps

*        Ben and Dimitris to provide suggestions for short-term fixes.

*        Bruce to review offline root issue

*        Ben to provide CA protection profile



Bruce Morton
Entrust Datacard
+1.613.270.3743

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20170706/f1c8d2ff/attachment-0001.html>


More information about the Netsec mailing list