[cabf_netsec] NetSec meeting minutes from 2020-12-08

[Neil Dunbar]

All,

I've attached the minutes from Tuesday, 2020-12-08's meeting. Please 
review and suggest any changes.

Note that there will not be a meeting on 2020-12-22, since there is no 
CA/B Forum meeting that week: we'll reconvene in early January.

Cheers,

Neil

-------------- next part --------------
Network Security Subcommittee Meeting
2020-12-08

Attendees

Neil Dunbar (TrustCor) [Chair]
Ben Wilson (Mozilla)
Cezary Cerekwicki (Opera)
Mariusz  Kondratowicz (Opera)
David Kluge (Google)
Tim Hollebeek (DigiCert)
Corey Bonnell (DigiCert)
Core Rasmussen (OATI)
Aaron Poulsen (DigiCert)

1. Review Agenda

The agenda was approved.

2. Agree Minutes

The minutes from the previous three meetings were approved.

3. Cloud Services Group Update

David reported that the group had met on the Monday (2020-12-07) and
said that they had continued to work on the slide deck for the various
service components that CAs could (or already do) use Cloud Services
to sustain their business offerings. Considerable progress has been made
on the risks analysis for the validation store and certificate database.

The plan for the next call is to continue this work, so that it can be
finished in January 2021.

An ongoing piece of work is an attempt to map the existing NCSSRs against
known Cloud standards documents, similar to what was done in Document
Structuring. The output of that excercise will be used once the service
components work is complete; and this mapping can be used to cross reference
any new cloud service rules work against the NCSSRs.

Ben commented that he was pleased to see the slide deck was progressing,
allowing a better breakdown of what the CAs are doing or planning within
the cloud space, and to measure the risks and evaluate controls from those
actions or plans.

Neil also said he liked the service component description; taking the
example of OCSP responders, acknowledging that CAs are doing this already,
but now overlaying consideration of risk measurement onto that activity.

5. Document Structuring SG Update

The DSG is temporarily paused until January, but Ben asked for some 
time to discuss the Offline CAs ballot, the summary of which is under
"Any Other Business".

6. SC38 Update

Neil reported that, having circulated the draft ballot around the SCWG
and got no major feedback, he would begin the discussion phase on 2020-12-09.

7. SC39 Update

Neil reported that the ballot was ready to go if a second endorser could
be found. Ben offered to endorse, so Neil said that he would begin the
discussion phase tomorrow. Neil thought that this ballot would be uncontroversial,
since it is just correcting a definition, rather than proposing new rules
or modifying any practices.

8. Any Other Business

Neil mentioned that as Mariusz would be leaving Opera, he would transition
away from his role as lead of the Threat Modelling Group. Mariusz commented
that, although he was leaving Opera, his intention was to remain within the
CA/B Forum as an Interested Party, and as such would rejoin the NetSec
group.

Cezary Cerekwicki will take Mariusz's place as one of Opera's representatives.

Ben began a discussion based on Wayne (Thayer)'s feedback on the Offline CAs
ballot proposal. The team went through each of the notes submitted and
suggested alternative text for each point, which Ben would then consider
amending the ballot proposal.

The central points were:

 - removal of the word "static" in "static configuration"
 - maintain an annual review of configuration
 - adjust the text of "Trusted Roles *who* are authorized" to "which
   are authorized" in order to remove ambuguity
 - removal of "separation of duties" with regard to Trusted Roles (
     in order to establish that the point of the roles is to provide
     multi-person control; which might provide separation of duties
     or it might not)
 - make clear that access control lists review only applies to to physical
   systems and to avoid overly detailed requirements in that sector
   [David brought up the example of a PIN coded safe, which has logged
   access; actually validating the PIN code should not be needed, or
   even desired, if the logs show no ingress or egress to that secured
   environment]

9. Adjourn

The meeting was adjourned. The consensus was that, as the late December CA/B
Forum meeting has been postponed until January, NetSec will do the same. The
group will reconvene on 2020-01-05.