[cabf_netsec] Draft Minutes for 2019-12-12 NetSec meeting

Neil Dunbar ndunbar at trustcorsystems.com
Fri Dec 13 04:51:14 MST 2019


I’m attaching the draft minutes for yesterday’s meeting. I might well have got some names wrong (or absent altogether), as well as the text.

I didn’t manage to get all of the recording of the minutes (I’ll get better with WebEx, I promise!), so most of this is derived from my notes taken during the meeting.

Please correct any errors and omissions (which are bound to be there) - I’ll post updates and hopefully we can agree on the minutes prior to the next meeting in January.




Minutes of Network Security Subcommittee Meeting

Date: 2019-12-12

  Tim Crawford
  Neil Dunbar (Chair)
  Dustin Hollenback
  Tim Hollebeek
  Tobias Josefowitz
  Mariusz Kondratowicz
  Bruce Morton
  Trevoli (Trev) Ponds-White
  Corey Rasmussen
  Ben Wilson
  Clint Wilson


The new chair (Neil) thanked the departing chair (Ben) for his work to date.

The chair then proposed to have the following structure to meetings, mirroring the
structure of the CA/B Server Certificate Working Group practice:

    - Every Monday prior to a meeting, a draft agenda will be sent to the netsec
      mailing list. All participants are encouraged to read and add any items
      desired for discussion to that agenda.
    - Every Wednesday prior to a meeting, the final agenda will be circulated to
      the netsec mailing list.
    - Every Friday, after a meeting, the draft minutes will be circulated, again to the
      netsec mailing list. Attendees are encouraged to read and correct any errors
    - The first order of business in the meetings will be approval of the minutes.
      Once approved, the agreed minutes will be posted to the netsec mailing list.

The group then went through the smaller subgroups to update the membership and
agree the meeting times of each of them.

The subgroups were:

  - Document Structuring
  - Threat Modelling
  - Pain Points
  - Authentication and Access Control

Due to commitments that the attendees have towards the other subgroups, the chair
proposed deleting the Authentication and Access Control group, with the ability
to resurrect it should the need arise. It was suggested by Tobias that the functions
of that subgroup could be absorbed into Pain Points and Threat Modelling. The chair
asked Tim (Hollebeek) if this was acceptable, and the deletion was agreed.

The chair then asked of the remaining groups what the expected outcomes were
for the near future of each of their respective efforts.

The Threat Modelling subgroup under Mariusz said that the next output would be
a set of user stories and checklists which can then be used to remediate the
threats which have been highlighted from the existing modelling, and from feedback
from CAs and browsers from the questionairre which was circulated prior to the
Thessaloniki F2F. This is not expected to be done until early 2020.

The Document Structuring subgroup under Ben suggested that their output would
either be a new set of definitions for the NSRs, or a simpler reformatting of
the NSRs, with the mixture of numeric and alphabetic sections replaced by purely
numeric structures, in the same way that the BRs are sectioned. Again, this
could form a ballot early in the New Year. The chair also suggested that the
new format could be rendered in Pandoc compatible Markdown, to reflect the
efforts in reformatting the BRs, but did not propose this as a course of action,
merely a suggestion.

The Pain Points subgroup is still working on getting Ballot SC20 v2 to the
SCWG as a whole; the language still needs some work to remove ambiguity.
Tim (Crawford) said that the next ballot to emerge would most likely be the
one on log file retention duration.

The group as a whole then concentrated on reworking SC20 v2. David Kluge (absent)
had accepted recent changes to the existing document. Trev suggested that an
explicit reference to a change management process would help to clarify the intent of the
ballot - namely, to ensure that all changes to CA systems were backed by an
auditable set of change orders, and that monitored changes to those systems could
be measured against such orders.

The text of the replacement section 1(a) was adjusted by the chair to specifically
call for a change management process to be present in a CA's security policy.
There appeared to be general approval for this change, but the final text will
still need to be agreed.

Ben advised that the proposer of the ballot would need to be changed. Neil
said that he would propose the ballot on behalf of TrustCor if the seconders
were content. Tobias advised that, in principle and dependent on the final text,
he would second the proposed ballot.

There was no other business proposed or discussed.

Because of the holiday season, the meeting on December 26th was cancelled. The next
meeting of the NetSec group will commence on January 9th, 2020.

More information about the Netsec mailing list