[cabf_netsec] Minutes for the NetSec meeting on 2020-07-23

Neil Dunbar ndunbar at trustcorsystems.com
Fri Jul 31 08:54:19 MST 2020


The minutes are attached to this posting. Any comments, omissions,
change requests, please let me know and I'll address them



-------------- next part --------------
Minutes of NetSec Meeting: 2020-07-23


Neil Dunbar (TrustCor) [Chair]
Wendy Brown (FPKI)
Bruce Morton (Entrust Datacard)
Ben Wilson (Mozilla)
Clint Wilson (Apple)
Tim Crawford (BDO)
Michol Murray (GoDaddy)
David Kluge (Google)
Trevoli Ponds-White (Amazon)
Janet Hines (SecureTrust)
Tobias Josefowitz (Opera)
Daniela Hood (GoDaddy)
Aaron Poulsen (DigiCert)
Tomofumi Okubo (DigiCert)

1. Review Agenda

The agenda was agreed

2. Agree Minutes

The minutes from the last meeting (taken by Ben) were approved

3. Pain Points Subgroup Update

David reported that the team had met after a long break. The team
had taken stock of the ballots currently in flight, to see if more
work could be done on them.

For SC28, there were no further comments to address, other than
Dimitris's request to hold consideration of SC28 until September. The 
team had no particular objection to this, but still want to make
fast progress on the other ballots, with the notion being to submit
after the summer break.

Neil added that Dimitris had clarified what he meant in his email on
the SCWG call, specifically meaning that complex and far reaching
ballots (of the sort which the NetSec team can produce), adding that 
SC28 and SC32, and possibly the Offline CAs would fall into this
category. However, in Neil's opinion the authentication lockout ballot
would not be considered complex; as well as Tobi's access ballot.
Perhaps we could come to a conclusion as to which ones don't require
a great deal of thought.

Trev suggested that we prioritise the ballots, but push them all
through, because we can't really determine what meets the somewhat
vague criteria of "complex and wide ranging". She particularly did not
think that SC28 was complex.

David agreed with Trev, although accepted that some others think
differently. He remained open to either approach.

Regarding the account management ballot, the team is happy with the
text, but some extra work on the document explaining motivations
and reasoning remains to be done, although some has been done.

For the authentication control ballot, the main conclusion was that
instead of keeping 2.k, the right approach would be to state the
desired outcome, and leaving it to the CA to propose how this should
be done. The motivation text should also be added.

Trev volunteered to add to the explanatory text.

4. Threat Modelling SG Update

Mariusz was unavailable.

Neil commented that the Threat Modelling document had some new text
regarding CA equipment, but there was not much text in it. Neil suggested
that we await Mariusz's return to pick up from Threat Modelling.

5. Document Structuring SG Update

Ben said that the Offline CA ballot and SC32 were discussed, but nothing
substantive was produced, although a desire was expressed to clarify the Zones ballot
[SC32] to be more specific regarding the boundaries (whether logical
enclaves, physical areas or however they are described). Some more work
remains to be done on this.

6. Heartbeating of ballots

Neil said that he had made such changes to SC28 to address Ryan's feedback,
but the only thing stopping it moving forward was the request to have a
moratorium on ballots. He was prepared to "heartbeat" SC28, although not
happy about it.

Neil asked Ben if the notion was to let ballot SC32 drop and introduce a new
ballot with the same aims. Ben said that it was. Neil added that he would
happily continue to endorse, and Trev indicated she would too.

Ben said that they would try to address some of the concerns which had been
raised in the new ballot.

Thus Neil said that the only thing which remains is to decide what to
prioritise which ballots to push first to the SCWG. But the problem remains
that it forces us to second guess the importance of our ballot pipeline. Neil'suggested
objection to this is that all the ballots are important, and that we don't
produce ballots for fun.

Trev agreed with this statement.

David was unclear as to why NetSec is being asked to hold off on ballots while
other teams continue to produce them. Trev added that this seems odd since a
validation ballot seems imminent. Neil commented that such a ballot has a material
effect on what CAs will or will not implement, therefore this ballot would also
seem to fall into the "complex" category too.

Trev said that the priority should be based on our readiness and convenience.

Neil agreed, saying that if we need to heartbeat ballots, then we will. He added
that, like with SC29, it will add to a glut of ballots needing looked at when
the COVID pressures on members ease, leading to the situation where the WG is
asked to consider 20 ballots in 2 weeks, which is an impossible task.

Neil said that he would take this up privately with Dimitris and report back.

Trev said that this seemed a good idea.

Wendy asked if it would make sense to go ahead with the ballots but to extend
the effective-from dates in the ballot text.

Neil replied that the issue was not whether the CAs have the resources to implement
the particular ballot outcomes, but rather that they lack the resources to
consider whether the changes proposed are good or bad.

Wendy said that perhaps it's a combination of both analysis and implementation.

Neil offered to give Dimitris several options (including extending), and that
he would make this email.

7. Offline CAs ballot

Ben said that he was still looking for endorsers. He asked David if he was Ok
with endorsing. David replies that he needed to give it one final pass, but that
he would endorse.

Trev said that she would endorse after a final pass.

David asked if the Zone ballot needed endorsers, to which Ben replied that it
did not.

Ben said that the account ballot was still looking for endorsers and Tobi
agreed. David said that he would endorse it, and Neil said that he would endorse
too. Neil asked for Tobi to grab a ballot number now that they had text and

Tobi said that he would.

Neil asked David to confirm that the lockout ballot wasn't quite ready for
endorsers. David said that it should prove uncontroversial.

8. Zones ballot

There was nothing to add to the previous discussion.

9. Other Ballots

There was nothing to add regarding the accounts ballot.

There was no other ballots needing discussion.

10. Any Other Business

There was no other business to discuss, although Aaron asked if the meeting
invitation could be resent. Neil said that he would post to the Netsec-management

11. Adjourn

The meeting was adjourned and will reconvene on 2020-08-06.

More information about the Netsec mailing list