[cabf_netsec] Minutes of NetSec meeting from 2020-02-02

[Neil Dunbar]

All,

These are the minutes from yesterday's (2020-02-02) NetSec meeting. If 
anyone has comments or requests for alteration, please let me know.

Regards,

Neil

-------------- next part --------------
Network Security Subcommittee Meeting
2021-02-02

Attendees

Neil Dunbar (TrustCor) [Chair]
Jim Gorz (GoDaddy)
Ben Wilson (Mozilla)
Tobias Josefowitz (Opera)
Daniela Hood (GoDaddy)
Tim Crawford (BDO)
Corey Rasmussen (OATI)
Aaron Poulsen (DigiCert)
Corey Bonnell (DigiCert)
Clint Wilson (Apple)
Bruce Morton (Entrust Datacard)
Tim Hollebeek (DigiCert)
Trevoli Ponds-White (Amazon)

1. Review Agenda

The agenda was reviewed with no changes requested.

2. Approve Minutes

Because of insufficient review time, the minutes will be subject to approval
at the next meeting.

3. Cloud CA Subteam Update

David was absent, so Neil attempted to report on the Monday (2020-02-01) meeting
of the Cloud Services subgroup.

David has generated a report in two parts: the first part was how the Google
compliance team has mapped the various standards documents over cloud security
(e.g. Cloud Security Alliance CCM, ISO 21188, etc.) and compare those with how
they cover the subject matter of the NCSSRs.

The overlaps are represented in green (full coverage), amber (partial coverage)
and red (low coverage). David did caution that the people who had made those
judgements were not CA or PKI subject matter experts nor experts in the NCSSRs,
therefore there might be some errors in determination which can be reviewed once
the document is published.

There seems to be quite a few areas in which the NCSSRs fall short.

The next element of the document was a study of the DigiNotar report (Black Tulip),
asking where, if anywhere, would the current NCSSRs have presented a block to
the behaviour which resulted in such a disastrous breach.

From a network segmentation standpoint, there was not too much to be said, since
there were firewalls in place. From an application security standpoint, there
were critical vulnerabilities allowed to persist; in this case the 96 hour patch
window mandated in the NCSSRs would have been breached. Similarly, log reconciliation
was not performed. While the NCSSRs point towards a log reconciliation best
practice, this is not actually mandated explicitly; indicating a room for growth
in the NCSSRs.

Finally, the HSMs were network accessible HSMs - not in itself a bad thing - but
the access to those modules was not mediated or restricted in any significant way.
In other words, any application with PKCS11 capability would have been able to use
the signing service for any purpose. HSMs are not capable of knowing what type
of object they are being asked to sign, therefore best practice is to have content
aware proxies in front of those devices to prevent arbitrary signatures being
gathered for various objects. However, no duty to do so exists explicitly in the
NCSSRs.

The CS team encouraged David to present these materials to the F2F meeting, since
it is a good presentation.

Ben commented that it was interesting that the network segmentation did not play
so large a part as was thought. Ben further commented that the application code
in low security zones was able to call services in low security zones without
content aware mediation such that malware was allowed to transit from low security
zones to high, or at least to tunnel hostile traffic there.

Neil commented that the takeaway was that the NCSSRs could be improved in application
security and critical core system protection to prevent similar risks in the future.

4. SC39 Update

Neil reported that SC39 is now out for voting.

5. SC38 Discussion - withdrawal and replacement

Neil has come to the conclusion that he intends to withdraw ballot SC38, since
its scope has grown beyond what was originally envisaged. In its place, new smaller
ballots to address sections 1.3.2 and 4.1.1 of the BRs will be put in place.

Neil said that his belief that the suspicious certificate database serves no
purpose; so he would consult with stakeholders [CAs, auditors and browsers] to see
if a better protection rule can be established.

After that, Neil asked Clint if he (Neil) could help on Clint's proposal to draw
up new sections for 5.4/5.5. Clint said that he would be happy for the help; and
that there are some clear fixes that can be done to get the spirit of SC38
in place.

6. SCXX - Airgapped Ballot Discussion [now SC40]

Ben reported that SC40 has been assigned to the ballot proposal.

Ben replied that he would be sending this out for discussion by the end of today.

He said that one wrinkle was the Bylaw requirement to consider how other ballots
might interact; he was unsure as to whether to redline with SC41 in mind or not.

Tim (Hollebeek) replied that there is a common misreading of the Bylaws. The intent
of the Bylaws was to say that if there is a potential conflict with a pending
ballot the author should list the potential conflict. The bylaw then allows
the author the option of describing how the conflict could be resolved - but
this is not a requirement. However, some people have interpreted the optional
clause as being a mandate to redline all combinations of competing conflicts.
In his (Tim's) opinion, this is not a correct reading.

Ben replied that there would be very few conflicts. Neil said that it was a new
section, to which Ben replied that the renumbering in SC41 might cause conflict.

7. Any Other Business

Neil said that he would be generating the first draft of the F2F report for
review and changes for the March (virtual) F2F meeting. Since there is only
a month to do this, we will have a section in the next meeting to go over the
draft and attempt to finalize it in the weeks prior to the F2F.

He asked that if any member had elements specifically for discussion to
forward those items (via list, private email or call) to him and he would
include those items in the draft.

8. Adjourn

The meeting was adjourned and will reconvene on 2020-02-16.