[cabf_netsec] Minutes of NetSec Meeting 2020-02-06
ndunbar at trustcorsystems.com
Mon Feb 10 07:43:54 MST 2020
I'm attaching the minutes for review and correction of our latest
meeting. Please feel free to ask for any changes, and I'll ask for
approval at our next meeting (which will probably be in Bratislava).
-------------- next part --------------
Network Security Subcommittee meeting: 2020-02-06
Neil Dunbar (TrustCor)
Ben Wilson (IP)
Mariusz Kondratowicz (Opera)
Daniela Hood (GoDaddy)
David Kluge (Google)
Tim Crawford (BDO)
Trevoli Ponds-White (Amazon)
Corey Rasmussen (OATI)
Corey Bonnel (SecureTrust)
Clint Wilson (Apple)
Joanna Fox (GoDaddy)
Tobias Josefowitz (Opera)
Wendy Brown (FPKI)
Dustin Hollenback (Microsoft)
1. Review Agenda
The agenda was agreed.
2. Agree Last Meeting Minutes
The previous meeting minutes were approved.
3. Pain Points Subgroup
David stated that the Subgroup discussed Ryan's (Sleevi) suggestions to SC20 and felt
them to be unobjectionable. He stated that the thinking for an operational date was
around October 2020. When Trev asked for the rationale behind that date, David replied
that it was largely to ensure that everyone could be in compliance. Neil expressed
a hope that CAs were already in compliance with the proposed ballot, but that by October there
could be no real reason not to be.
The group is still looking for a proposer for the Log Retention Ballot. Tim said that
the Risks and Benefits section had now been completed as requested. Neil said that he
would propose the ballot if two endorsers could be found.
The next set of ballots would be around authentication and accounts, specifically
targetting whether the lockout policy was suitable for current purposes.
4. Threat Modelling Subgroup
Mariusz reported that the group continued to work on the refinement of the checklists
and user stories to address the salient points from the described security model.
5. Document Structuring Subgroup
Ben said that, subsequent to Rufus Burckhart's suggestions from the ETSI 319-411-01 document,
has further made him question whether or not the current activity on restructuring needs
a more fundamental approach; if the notion of a more gradual ballot actually achieves the
desires of the Subgroup.
David said that he didn't feel that the current principles on which the NSRs rely heavily
(especially zoning) reflect current thinking in the computer security space, and if the
principles need restating, then that might be a better approach to take.
Neil asked if the current main 4 sections could have a new preamble which expressed the
current thinking on principles, in preparation for a breakdown into practices and standards.
Ben said that he would have an attempt to integrate the principles approach and report
6. Discuss F2F Presentation
Neil asked each of the subgroup leads to prepare a Google Slides document of past, present
and near future activities of the subgroups so that he could build that into a 10-15
slide document, for a 10 minute plus 5 minute Q&A session in Bratislava.
7. Work on Upcoming Ballot Texts
SC20 will be revised (by Neil) to incorporate Ryan's suggestions, then put for rediscussion
for 7 days, then a vote.
The Log and Retention ballot will be proposed by Neil, assigned a ballot number then put
for discussion, now that the rationale document is complete.
Neil asked for seconders for the ballot on the revision to the CVSS text, which he will then
propose to the main Working Group.
8. Any Other Business
No other business was discussed.
The meeting was adjourned until March 6th, 2020, since the F2F in Bratislava will occupy
the scheduled next meeting.
More information about the Netsec