[cabf_netsec] Draft Final Report of the NetSec WG
jimmy at it.auth.gr
Thu Jun 14 11:32:25 MST 2018
Neil, I think this is an excellent draft and captures the general
feeling of the WG. I believe we examined CIS and ISO 27000. The result
of this examination was that these are frameworks for Information
Security Management Systems and provide excellent guidance, but they
have to be specifically applied to a CA management system in order to
produce meaningful and auditable criteria.
There were attempts to map CIS with NSR and WebTrust for CAs. It appears
that there are many similarities. And to be realistic, WebTrust for CAs
and ETSI EN 319 401 (with references to ISO 27002) provide excellent
guidance and include a large number of illustrative controls that could
apply to the CA industry.
IMO the NSRs describe more specific "practices/procedures"(how we
achieve our policies) rather than "policies" (what we want and why),
which is a good thing but they fall short on describing some of the
existing security challenges. The examined frameworks provide general
areas of concern that need to be further analyzed in more detail in
order to produce specific requirements, consistent with the security
goals of the CA industry.
On 14/6/2018 5:42 μμ, Neil Dunbar via Netsec wrote:
> Following on from the London discussion, I’ve prepared a skeleton
> document to serve as the basis of the final report, which is attached
> within. The key takeaways are:
> 1. The existing NetSec requirements stink
> 2. The other security standards don’t stink, but don’t really fit either
> 3. We should keep the NSSRs as the base document, but heavily update
> 4. We should try to charter a new WG to continue to work on that
> updating process, but continue as a subcommittee of the SCWG post
> July 3, until this is done.
> What’s missing from the document (apart from common sense, clarity of
> text and purpose)? The external standards which were considered, but
> rejected as not particularly good fit. The other members of the WG
> will be able to fill in those details with better memory than I can.
> Hopefully we can discuss this at the next meeting. I don’t think that
> we need be exhaustive in picking out every fault. It’s enough to say
> “Standard X was considered, but it doesn’t really speak to delegated
> third party deployments”, or “doesn’t mention multi-party access”,
> that sort of thing.
> Netsec mailing list
> Netsec at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Netsec