[cabf_netsec] Draft Final Report of the NetSec WG

Ralph Claar ralph.claar at digicert.com
Fri Jun 15 13:24:47 MST 2018


Hi Neil,

I didn’t think it was stuffy. I in no way, shape, or form, meant to offend you.

I used dictionary.com not google.  What I got from them was:
verb (used with object)
1.   to come into possession of; get, acquire, or procure, as through an effort or by a request
to obtain permission; to obtain a better income.
2.   Obsolete. to attain or reach.

verb (used without object)
3.   to be prevalent, customary, or in vogue; prevail:
the morals that obtained in Rome.
4.   Archaic. to succeed.

I thought the definition was more befitting describing/referring to the existence of something as opposed to the lack of something.

I would not be confused with an English scholar in anyone’s universe, so I could be way off base.

Cheers,
Ralph



From: Netsec [mailto:netsec-bounces at cabforum.org] On Behalf Of Neil Dunbar via Netsec
Sent: Friday, June 15, 2018 11:40 AM
To: CA/Browser Forum Network Security WG List <netsec at cabforum.org>
Subject: Re: [cabf_netsec] Draft Final Report of the NetSec WG

It’s quite possible that my English skills are fading as I get older, but I was using ‘obtain’ in the sense of (google dictionary to the rescue)

“be prevalent, customary or established”.

But perhaps less stuffy wording would be better.

Regards,

Neil


On 15 Jun 2018, at 17:24, Ralph Claar <ralph.claar at digicert.com<mailto:ralph.claar at digicert.com>> wrote:

Hi Neil,

Thanks for putting this together and driving this.  I like the revisions.  The only question I have is regarding the second point in the “Conclusions” section.  It currently reads:


“However, returning to a world where no coherent standards obtain for CA Network and System Security is highly undesirable, therefore having some relevant documentation to act as a minimal security standard is the preference of the working group.
Did you mean to use the word “obtain” there? I would have expected something like “exist for CA Network….” or “govern CA Network…..” or “shape CA Network…..” or something similar.

Cheers,
Ralph

From: Netsec [mailto:netsec-bounces at cabforum.org] On Behalf Of Neil Dunbar via Netsec
Sent: Friday, June 15, 2018 6:44 AM
To: CA/Browser Forum Network Security WG List <netsec at cabforum.org<mailto:netsec at cabforum.org>>
Subject: Re: [cabf_netsec] Draft Final Report of the NetSec WG

Version 2, now with less acid on the existing NSSRs, and a little (but nowhere near enough, I think) more on the security standards proposed as replacements for the NSSRs. Some suggestions on more appropriate wording most definitely desired.

I’ve also included an explicit conclusion that we dislike (profoundly) the notion of going back to a no-guidance world.

Regards,

Neil






On 15 Jun 2018, at 14:37, Dimitris Zacharopoulos via Netsec <netsec at cabforum.org<mailto:netsec at cabforum.org>> wrote:

+1 for both comments.



On 15/6/2018 3:53 μμ, Tim Hollebeek via Netsec wrote:
I think this is an excellent start, but I do have some comments.

I think conclusion #1 is overly critical of the NSSRs.  While we certainly did find some areas where there need to be significant improvements, I think the consensus of the group was that the majority of the content continues to be relevant and important, and they are certainly much more useful than anything else that is out there that could be adopted.

Given that wholesale removal of the NSSRs was one of the options contemplated in the charter, I think the report needs to make it very clear that returning to the pre-DigiNotar situation where there are no requirements at all in this area would be completely irresponsible.

-Tim

From: Netsec [mailto:netsec-bounces at cabforum.org] On Behalf Of Neil Dunbar via Netsec
Sent: Thursday, June 14, 2018 10:42 AM
To: CA/Browser Forum Network Security WG List <netsec at cabforum.org><mailto:netsec at cabforum.org>
Subject: [cabf_netsec] Draft Final Report of the NetSec WG

Colleagues,

Following on from the London discussion, I’ve prepared a skeleton document to serve as the basis of the final report, which is attached within. The key takeaways are:


  1.  The existing NetSec requirements stink
  2.  The other security standards don’t stink, but don’t really fit either
  3.  We should keep the NSSRs as the base document, but heavily update them.
  4.  We should try to charter a new WG to continue to work on that updating process, but continue as a subcommittee of the SCWG post July 3, until this is done.

What’s missing from the document (apart from common sense, clarity of text and purpose)? The external standards which were considered, but rejected as not particularly good fit. The other members of the WG will be able to fill in those details with better memory than I can. Hopefully we can discuss this at the next meeting. I don’t think that we need be exhaustive in picking out every fault. It’s enough to say “Standard X was considered, but it doesn’t really speak to delegated third party deployments”, or “doesn’t mention multi-party access”, that sort of thing.

Regards,

Neil





_______________________________________________

Netsec mailing list

Netsec at cabforum.org<mailto:Netsec at cabforum.org>

http://cabforum.org/mailman/listinfo/netsec

_______________________________________________
Netsec mailing list
Netsec at cabforum.org<mailto:Netsec at cabforum.org>
http://cabforum.org/mailman/listinfo/netsec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180615/3b384496/attachment-0001.html>


More information about the Netsec mailing list