[cabf_netsec] Draft Final Report of the NetSec WG

Dimitris Zacharopoulos jimmy at it.auth.gr
Thu Jun 14 11:32:25 MST 2018 

Neil, I think this is an excellent draft and captures the general 
feeling of the WG. I believe we examined CIS and ISO 27000. The result 
of this examination was that these are frameworks for Information 
Security Management Systems and provide excellent guidance, but they 
have to be specifically applied to a CA management system in order to 
produce meaningful and auditable criteria.

There were attempts to map CIS with NSR and WebTrust for CAs. It appears 
that there are many similarities. And to be realistic, WebTrust for CAs 
and ETSI EN 319 401 (with references to ISO 27002) provide excellent 
guidance and include a large number of illustrative controls that could 
apply to the CA industry.

IMO the NSRs describe more specific "practices/procedures"(how we 
achieve our policies) rather than "policies" (what we want and why), 
which is a good thing but they fall short on describing some of the 
existing security challenges. The examined frameworks provide general 
areas of concern that need to be further analyzed in more detail in 
order to produce specific requirements, consistent with the security 
goals of the CA industry.


Dimitris.

On 14/6/2018 5:42 μμ, Neil Dunbar via Netsec wrote:
> Colleagues,
>
> Following on from the London discussion, I’ve prepared a skeleton 
> document to serve as the basis of the final report, which is attached 
> within. The key takeaways are:
>
>  1. The existing NetSec requirements stink
>  2. The other security standards don’t stink, but don’t really fit either
>  3. We should keep the NSSRs as the base document, but heavily update
>     them.
>  4. We should try to charter a new WG to continue to work on that
>     updating process, but continue as a subcommittee of the SCWG post
>     July 3, until this is done.
>
>
> What’s missing from the document (apart from common sense, clarity of 
> text and purpose)? The external standards which were considered, but 
> rejected as not particularly good fit. The other members of the WG 
> will be able to fill in those details with better memory than I can. 
> Hopefully we can discuss this at the next meeting. I don’t think that 
> we need be exhaustive in picking out every fault. It’s enough to say 
> “Standard X was considered, but it doesn’t really speak to delegated 
> third party deployments”, or “doesn’t mention multi-party access”, 
> that sort of thing.
>
> Regards,
>
> Neil
>
> =
>
>
>
>
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> http://cabforum.org/mailman/listinfo/netsec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180614/67e4f058/attachment.html>

More information about the Netsec mailing list