[cabf_netsec] Draft Final Report of the NetSec WG

Tim Hollebeek tim.hollebeek at digicert.com
Fri Jun 15 05:53:25 MST 2018

I think this is an excellent start, but I do have some comments.


I think conclusion #1 is overly critical of the NSSRs.  While we certainly did find some areas where there need to be significant improvements, I think the consensus of the group was that the majority of the content continues to be relevant and important, and they are certainly much more useful than anything else that is out there that could be adopted.


Given that wholesale removal of the NSSRs was one of the options contemplated in the charter, I think the report needs to make it very clear that returning to the pre-DigiNotar situation where there are no requirements at all in this area would be completely irresponsible.




From: Netsec [mailto:netsec-bounces at cabforum.org] On Behalf Of Neil Dunbar via Netsec
Sent: Thursday, June 14, 2018 10:42 AM
To: CA/Browser Forum Network Security WG List <netsec at cabforum.org>
Subject: [cabf_netsec] Draft Final Report of the NetSec WG




Following on from the London discussion, I’ve prepared a skeleton document to serve as the basis of the final report, which is attached within. The key takeaways are:


1.	The existing NetSec requirements stink
2.	The other security standards don’t stink, but don’t really fit either
3.	We should keep the NSSRs as the base document, but heavily update them.
4.	We should try to charter a new WG to continue to work on that updating process, but continue as a subcommittee of the SCWG post July 3, until this is done.


What’s missing from the document (apart from common sense, clarity of text and purpose)? The external standards which were considered, but rejected as not particularly good fit. The other members of the WG will be able to fill in those details with better memory than I can. Hopefully we can discuss this at the next meeting. I don’t think that we need be exhaustive in picking out every fault. It’s enough to say “Standard X was considered, but it doesn’t really speak to delegated third party deployments”, or “doesn’t mention multi-party access”, that sort of thing.






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180615/6c90753d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20180615/6c90753d/attachment.p7s>

More information about the Netsec mailing list