[cabf_netsec] NetSec Committe Meeting Minutes 2020-10-15/2020-10-29/2020-11-12

Wed Nov 18 08:40:42 MST 2020

All,

With apologies for the lateness of these minutes, I'm enclosing the last 
three minutes for approval next time we convene the NetSec meeting.

Since the US has its Thanksgiving holiday, I was thinking that perhaps 
shifting our meeting time to the Tuesday 24th might work, but I'll send 
a separate email with those suggestions.

Thanks,

Neil

-------------- next part --------------
Network Security Subcommittee Meeting Minutes
2020-10-15

Attendees

Neil Dunbar (TrustCor) [Chair]
Clint Wilson (Apple)
Corey Rasmussen (OATI)
David Kluge (Google)
Mariusz Kondratowicz (Opera)
Bruce Morton (Entrust Datacard)
Tobias Josefowitz (Opera)
Dustin Hollenback (Microsoft)
Trevoli Ponds-White (Amazon)
Tim Crawford (BDO)
Tsung-Min Kuo
Aaron Poulsen (DigiCert)
Ben Wilson (Mozilla)
Janet Hines (SecureTrust)
Wendy Brown (FPKI)

1. Review Agenda

The agenda was agreed.

2. Agree Minutes

The minutes were approved.

3. Pain Points Subteam Update

The previous subteam update concentrated on the Cloud CA model. An early draft is available.

The current approach is concentrated on examining those opportunities of using Cloud services
without migrating core competencies such as signing. Those opportunities were listed by potential
risk, with an attempt to enumerate the details of potential risks. This work will continue over
the next few months, and the Pain Points subteam will migrate into the Cloud Services subteam.

Neil agreed that the immediate issues in the Pain Points have been addressed. He did ask whether
the Cloud team would be examining the use of public cloud providers, or rather the use of cloud
technologies such as Kubernetes.

Mariusz asked David how  the Threat Modelling team would best synergize with the risk analysis
of Cloud Services, so as not to duplicate work. David said that risk analysis would be best
done by joining forces.  Mariusz thought that joining up the subteams makes the most sense, given
that including threat modelling early improves the overall output of any proposal.

Ben added that he was happy to co-ordinate between the groups.

4. Threat Modelling Subteam Update

Mariusz reported on the previous meeting which examined the threat modelling approach, with
some interesting thoughts emerging. The summary has been sent out to the group as a whole.

The second item was to include a risk analysis on each ballot, so that people can see the
reasoning on what thinking has gone on in the production of NetSec ballots. Neil thought
that not everyone reads the Google Drive so perhaps including the text might serve a purpose.

Ben agreed that linking the discussion document was useful, but counseled against putting the
analysis in the ballot text itself.

Mariusz suggested reversing the order of the threat modelling meetings such that they can
feed into the next NetSec call. Neil agreed that the scheduling of the calls was sub optimal,
and had intended to introduce this at the F2F.

Trev suggested a Doodle poll for all of the meetings. Neil said that he would get that going.

5. Document Structuring Subteam Update

There was no meeting, so nothing was reported for this update.

6. F2F 51 Presentation Discussion

Neil introduced the presentation [available now on the wiki - the minutes capture the
discussion].

He described the request from Ryan to describe a clear problem statement. This is now
in the first page.

Ben asked about adding a first bullet to the problem statement, essentially describing
the function as ensuring security for CAs. Neil added that the objectives are there
in later slide.

Mariusz requested that the threat modelling address be removed from the end slide, given
that the threat modelling mailing group is rarely used now. Neil agreed.

Neil asked for any members to add or alter the presentation as they see fit. He also
asked for any other points to discuss.

Ben suggested adding in some text regarding the offline CAs ballot.

Trev asked if we would be changing the name of the Pain Points (to Cloud Services) group
in the F2F. David thought this was a good idea and would be adding that to the slide deck.

Ben thought that it would helpful to scope this discussion appropriately - rather than
present it as "whole CA in the cloud" model. Trev thought it would still be better to
simply say that we had addressed all pain points, and then to focus on Cloud Services.

Neil argued that it would be better to announce winding up the the Pain Points team, and
launching a Cloud Services team.

7. Any Other Business

There was no other business.

8. Adjourn

The meeting was adjourned and will recommence on 2020-11-12 unless the team decides not
to convene after the F2F meeting.
-------------- next part --------------
Network Security Subcommittee Meeting Minutes
2020-10-29

Attendees

Neil Dunbar (TrustCor) [Chair]
Clint Wilson (Apple)
Corey Bonnell (DigiCert)
Corey Rasmussen (OATI)
David Kluge (Google)
Mariusz Kondratowicz (Opera)
Bruce Morton (Entrust Datacard)
Tobias Josefowitz (Opera)
Dustin Hollenback (Microsoft)
Trevoli Ponds-White (Amazon)
Tim Crawford (BDO)
Ben Wilson (Mozilla)
Janet Hines (SecureTrust)
Wendy Brown (FPKI)

1. Review Agenda

The agenda was approved.

2. Ballot for Archive Retention

Tim introduced this ballot, explaining that after SC28 was passed, it limited the retention time for
audit log information (dependent on category) down from a blanket 7 years to a period of 2 years
after the event concerned - whether that be expiry of a certificate, revocation, etc. However,
this was not followed through into Section 5.5.2 of the BRs which talks about archive information.
Section 5.5.2 continues to require that certificate lifecycle information must be retained for
seven years after the certificate ceases to be valid.

Neil said that it is not particularly clear what the distinction between audit log and archive actually
is; and that some CAs essentially conflate the two into their information retention policies. He 
added that it makes little sense to distinguish between the sunset periods.

There is now a discussion document in the Google Drive. Neil committed to providing a new ballot
if he could get seconders. Neil posted the redline to the group. Ben commented that it literally
changes the word "seven" to "two". Neil replied that he couldn't see it being a controversial issue.

Ben and David offered to second the ballot, as did Dustin and Trev.

Dustin expressed gratitude that Tim found this; Trev replied that the entire CA/B Forum missed
this.

3. Times for Future Team Meetings

Neil said that he sent out Doodle polls for the NetSec and Subcommittee meetings, with hours
of 0900 PST through 1300 PST. The first week on offer is the "off-week" from the CA/B Forum,
and the second one the same week as the CA/B Forum meetings.

Ideally the subteams would meet the first week with the NetSec meeting after that.

Neil asked if other times should be added.

Dustin asked if we had anyone in Asia attended the calls. Neil replied that some Asian based
personnel are on the mailing list, but few if any attend the calls, probably because of the timezone.
Dustin further commented that while he was based in Hawaii, it made joining in very difficult
because of the early start, which would be the case for people in Asia too.

Neil said that his preference would be for NetSec to meet on the Tuesday prior to the CA/B Forum
meeting, and the subteams meet the week before that, so that discussions could funnel into the
SCWG in a more streamlined manner.

4. Any Other Business

There was no other business to discuss.

5. Adjourn

The meeting was adjourned and will reconvene on 2020-11-12
-------------- next part --------------
Network Security Subcommittee Meeting
2020-11-12

Attendees

Neil Dunbar (TrustCor) [Chair]
Clint Wilson (Apple)
Corey Bonnell (DigiCert)
Corey Rasmussen (OATI)
David Kluge (Google)
Mariusz Kondratowicz (Opera)
Bruce Morton (Entrust Datacard)
Tobias Josefowitz (Opera)
Dustin Hollenback (Microsoft)
Tim Crawford (BDO)
Ben Wilson (Mozilla)
Janet Hines (SecureTrust)
Wendy Brown (FPKI)
Daniela Hood (GoDaddy)

1. Review Agenda

The Agenda was approved, with a request to add in a discussion regarding SC34
in the ballot section.

2. Cloud Subteam Update

David explained that the Cloud team have been examining each component of CA
operations which could be operated in a cloud environment; looking at each risk
which could be identified.

David has spoken to colleagues in the Cloud Security Alliance and ISO to see if 
they can support, advise or feed back on any proposals we make; although a write
up in a more formal way is required prior to a more formal submission to those
groups.

Neil remarked that AWS enclaves had been launched - where TPM backed VMs with
no networking was allowed. David thought there was quite a lot of research and
into the audit and assurance models which can be done. Trev had suggested trying
out the FedRAMP services.

3. Threat Modelling Update

Mariusz announced that they would merge the Threat Modelling team into the Cloud
Services team effort for the time being; essentially freezing the Threat Modelling
subteam as a separate effort.

Some documentation has already been provided to the Cloud Services team to act
as a starting point for risk analysis.

4. Document Structuring

Ben reported that the ballot for Offline CAs has had its introductory text reworked
so that some of the concerns brought up earlier would be addressed.

5. SC38 (Archive Log Retention)

Neil said that the ballot is ready, but would introduce this to the SCWG as a pre-ballot
and that he would open the discussion period after that.

6. Critical Vulnerability Ballot

Neil introduced SC39, which was actually introduced back in February 2020. Corey (Bonell)
had discovered that the definition of Critical Vulnerability had some references which
were no longer valid. This ballot attempts to correct them by referring to CVSS v3.0 scores
of 9.0 and above defining a Critical Vulnerability, as well as pointing to the correct
URI for CVSS.

Neil added that this ballot might be a little more controversial since it narrows the
scope of how a critical vulnerability is determined (from CVSS v2.0 7.0 and above to
CVSS v3.0 and above). He had done a quick scan to establish that the CVSS v2.0 "Critical
Vulnerabilities"

7. SC34 (System Accounts) Ballot

Neil asked Tobi if it was worth introducing this ballot to SCWG with a summary of what
the discussion had been. Tobi thought that might be a good way forward.

8. Meeting Times

Neil thanked those who had voted, but reported that Ben had asked if the window
could be extended from 1700 UTC to the earlier 1500 UTC, but that might be a little
early for North American contributors.

Ben said that while 0700 Pacific was a little early, an 0800 slot is not too terrible.

Neil said that Tuesdays and Thursdays are the favoured times, and 1900-2000 Tuesdays
seems the most popular. Similarly 1900 is favoured. Mondays don't seem to be favoured
by the votes.

Tuesdays for Cloud Services seems to be favoured too.

9. Any Other Business

There was no other business.

10. Adjourn

The meeting was adjourned and will reconvene on a date to be agreed, not conflicting
with the US Thanksgiving Holiday.