[cabf_netsec] Draft Minutes of Meeting 13-December-2018
ben.wilson at digicert.com
Tue Dec 18 14:26:13 MST 2018
Present: Peter M., Bruce, Corey Rasmussen, David K., Fotis, Robin, Ben, Marcelo, Tim Tobias, Tim C., Pavan, Corey Chapeski,
Antitrust Statement was read
Previous minutes were approved.
Ben suggested that we start breaking into subgroups beginning the second half of January.
Bruce said he had a list of specific issues with the current NCSSRs that he would like to have addressed. He'll collect those and send them to the list. The intent is not to rewrite the NCSSRs but to obtain clarification on those issues.
Bruce said his first concern is about the distinction between online CAs vs. offline roots, and that we need to make sure we have the right definitions. The security controls need to be different for an online item than they are for an offline item. The NCSSRs need to be more clear about what system(s) a requirement applies to.
David said he faces a similar problem. "We have different names for things, and it would help to clarify the terminology." He would like them to be written in a way that helps them identify whether a requirement applies or not. One example is use of the term "security support system". We are forced to make an interpretation, whereas more specific description of components (HSM, signing service, etc.) would help clarify requirements.
Bruce noted that we need to be able to all come up with the same interpretation when we read the NCSSRs.
Ben said that as a group, long-term, it looks like we have three potential streams of work that we could work on equally - overhaul (Dimitris proposal), fixing current bugs (discussed above), and threat-vulnerability approach (e.g. using Sea Sponge). So we could divide our time and effort in three different ways.
Another item is 4.f. (96-hour remediation of Critical Vulnerabilities).
Ben suggested that members come forward with actual language to amend the NCSSRs because that will save time - we won't have to discuss things over and over again without resolution.
For section 4.f, as an example, we could take apart all terms that are subject to interpretation-"discovery", "Critical Vulnerability", etc. and propose new language.
Corey Chapeski said that he was working on this issue with 4.f. and drafting language to amend it.
Ben asked that this area of discussion (amendments to the NCSSRs) continue on the mailing list until our next call on 10-January-2019.
We then looked at Sea Sponge. The threat model tool allows you to specify "assumptions", define threats and trust boundaries, etc., and has templates/stencils for these objects. The interface allows you to save and download your work, but does not appear to offer very good online collaboration for a group like ours.
It was decided that we should work with another outlining tool or mind mapping tool first to enumerate all of the components of the threat model and then maybe Sea Sponge could be used as a visualization tool.
Ben asked for volunteers as project managers to remind people to work on the projects we have. We have a number of things that we need to make progress on - the threat model, updates to the NCSSRs, etc. David volunteered to help remind people over email, on a weekly basis, that we need to make progress on this work before our next call in January.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Netsec