[cabf_netsec] Updated Minutes for meeting on 2020-01-09

[Neil Dunbar]

Colleagues,

I've updated the attendance list in accordance with emails received, and 
am attaching the following minutes, for approval/alteration in the 
meeting later today. In the future, I'll break up these minutes into 
agenda headings to make them a bit more readable.

Cheers,

Neil


-------------- next part --------------
Minutes of NetSec Subgroup Meeting

2020-01-09 17:00:00 UTC

Present

Neil Dunbar (TrustCor) [Chair]
Corey Rasmussen (OATI)
David Kluge (Google)
Ben Wilson (IP)
Daniela Hood (GoDaddy)
Patrick Milot (IP)
Clint Wilson (Apple)
Wendy Brown (FPKI)
Trevoli Ponds-White (Amazon)
Dustin Hollenback (Microsoft)
Joanna Fox (GoDaddy)

The agenda was approved.

The meetings of the last meeting (2019-12-13) were approved.

David Kluge presented the report from the Pain Points team. Not much
to report. The team were happy with the most recent changes to the
proposed SC20 ballot; adding that if there were final tweaks to the
language, then this meeting would be appropriate to hear them. The
hope is that SC20 will be ready for the full SCWG in the next few days.
Neil added that he was happy to propose the revised ballot, on the
assumption that the seconders were happy.

David added that a new ballot on log retention was next in the pipeline.
He added that it was in good shape, but it still needs more work.

Ben asked for sign-in information for the Pain Point subgroup, which
David said that he would provide the relevant Google Hangouts to
anyone who emailed him.

Neil explained that for Threat Modelling, Mariusz was off ill. At
the last meeting, Mariusz explained that the intent was to produce a
set of user stories, explaining where threats and the appropriate
mediations fit in. Trev confirmed that this was the intent, and
expressed a desire to see more participation in the team meeting.

Ben Wilson reported for the Document Structuring Subgroup. He said
that most of his recent work was in redesigning the definitions,
using different glossaries of various InfoSec definitions (e.g. CNSSI,
SANS Institute) to see if they can be an adequate basis for CA/B
NetSec definitions.

Ben added that he wished to reinstitute another call for regular
meetings of the group. David offered to set up the call for the
subgroup. Ben suggested Mondays as a meeting day, which met with
general approval.

David asked about the timing expectations for the Document Structuring
Subgroup. Neil said that the minutes of the last meeting suggested
a ballot early in 2020. David favoured an early sequence of ballots.

Looking at the current document, Neil said that the existing work
looked like a mapping of NetSec to WebTrust/ETSI criteria, rather than
changes to the document. He asked what the ultimate goal of Document
Structuring was.

Ben answered, saying that the current document is repetitive, and that
narrower, more focussed language will be required, but that ultimately
a more extensive set of changes were desired.

Trev opined that much of the document seemed overlapping, and Wendy
asked if one goal was to make the requirements more auditable, such
that they allowed a clearer alignment of WebTrust/ETSI requirements,
and perhaps also with RFC 3647.

Ben suggested that a 3647 mapping would be a positive step, and agreed
to take the action item to begin such a mapping. Another direction, Ben
added, was that a principle based approach (like PCI-DSS) might be the
appropriate structure for the NetSec documents.

David commented that the current NSRs assume a highly zone based approach,
which is not where current NetSec thinking was headed, in favour of a
more principle based approach.

Neil asked if the 3647 approach directed thinking away from a principles,
practices and standards approach. Wendy suggested that perhaps only parts
of 3647 were applicable to a Network Security standard.

Neil then suggested that perhaps adding an RFC 3647 mapping to the
current Document Structuring work-in-progress document might be
useful. Ben agreed to perform such a mapping, with a review at the
next meeting.

Moving to upcoming ballot work, Neil asked if SC20 is ready to go.
David asked if anyone had any changes. He brought up the issue which Tim
(Crawford) had brought up, of 24 hours to begin investigation versus 96
hours. The current requirements suggested 1 week.

The team as a whole seemed to coalesce around a 24 hour period for
starting investigation. Neil said that he would reach out to the
seconders and begin the proposal for SC20.

David moved on to the proposed ballot for log retention. He explained
that the rationale was that a strict reading of the NSRs and BRs meant
that any and all logs which contained auditable information must be
retained for a period of seven years minimum. The authors of the proposed
ballot felt that for some categories of information, this retention
period was excessive.

The ballot firstly aligns the NSRs clearly with the BRs, and then
proposes categories of information which, the authors believe, do not
benefit from such a long retention time.

David explained that the Pain Points group tried to discern where the
seven years guideline came from, and the feeling was that it was largely
arbitrary. The proposed ballot then suggests a two year period for non
certificate related security events.

Some discussion on overall retention periods ensued, with a view that
the period could even be nine years, since a certificate could last
2 years and then a further seven on retention. Trev thought that this retention
period was the longest that any program imposed on its members; Clint
agreed with this. Wendy thought that the Federal PKI also mandated
seven years, and thought that it might have been a hangover from the time
from when certificates could last a lot longer than they did (e.g. five
years).

Wendy sought to explain that the FPKI made a distinction between the
audit log and the archive log; although she said that it didn't make a
real difference in practice.

Neil said that perhaps the mandate of SC20/SC21 meant that a lower
retention period was desirable; Trev and Dustin said that there is no
actual mandate, although the desire is to push people towards automated
log review, without a formal mandatory requirement. Neil accepted this
correction.

Dustin observed that in conversation with different compliance team, he
was informed that much of the retained information serves little or no
purpose in being retained for such a long period.

David asked that the team review the current proposed text and suggest
any changes before it becomes a true proposed ballot.

Neil then asked for any other business. On hearing none, the meeting
was adjourned and will recommence on 2020-01-23.