[cabf_netsec] Minutes of NetSec Subcommittee Meeting 2021-11-09

Tue Nov 9 19:52:05 UTC 2021

9 Nov 2021 | CAB Forum Net Sec Subcommittee
<https://www.google.com/calendar/event?eid=MXM0aGNpY2MzbW41ODJyNmJvOWxzNW1mcnZfMjAyMTExMDlUMTkwMDAwWiBkamVmZmVyeUBmYXN0bHkuY29t>

Attendees: Daniel Jeffery, Ben Wilson, Clint Wilson, Tim Hollebeek, Ali
Gholami, Corey Bonnell, David Kluge, Janet Hines, Kati Davids, Tobias
Josefowitz, Trevoli Ponds-White, Prachi Jain

Notes

   -

   Yesterday's agenda is basically the same, maybe summarize for those
   missing yesterday
   -

   Daniel and Ben were invited to summarize risk assessment and draft
   charter ballot, respectively
   -

   Daniel summarized the current state of the risk assessment as having
   methodology revision, current doc is shared in the NetSec Google drive
   -

   Collaboration tomorrow with Trev and David on the threat and asset
   columns
   -

   On the NetSec WG charter ballot Ben brought up the questions Tim had
   regarding adoption of NCSSRs and the language we discussed adding yesterday
   -

   Tim was concerned that we could end up in a situation where WGs are on
   different versions that could make it very difficult for certificate
   issuers to comply
   -

   Agreement that this concern is not addressed in the current language
   -

   Discussion of approaches:
   -

      don't want one WG to be able to veto NCSSR
      -

      should we push the groups to all accept the ballot immediately then?
      -

   Tim pointed out there is significant overlap of participants in the
   NetSec and other WGs; perhaps we can negotiate before it leaves the NetSec
   group so it can have a high degree of agreement and expect all to adopt
   immediately (Tim and Ben discussing)
   -

   David was more concerned about deadlock than fragmentation
   -

   Tim was leaning in the direction of empowering the NetSec WG to just
   change the NCSSR so that people should be involved in NetSec if they want
   to review it
   -

   Trev pointed out that this is how the other subgroups work and she
   agrees with taking this approach
   -

   Non-binding review was suggested to give each WG a chance to review
   -

   Clint suggested letting them review, but the ballot only occurs in the
   NetSec WG
   -

   Ben and Tim concurred
   -

   Clint was not sure this solves all of the problem, but this does
   formalize a method for getting feedback and incorporating it from the other
   WGs
   -

   Discussion by Tim, Ben and Clint of whether the other groups should be
   allowed to reference a particular version or the new version automatically
   applies
   -

   Dan suggested that we should not allow references to specific versions,
   just like the other WGs do
   -

   Trev and Tim discussed and agreed that there are cross-applicable
   decisions made in other WGs, so this is consistent with what is done
   elsewhere
   -

   Discussion of how we'd implement voting following the current bylaws
   -

   Ben raised that by suggesting the other groups can give feedback to
   NetSec WG, we are maybe opening up a discussion of who owns the IP
   -

   Tim feels like anyone could be in the NetSec WG, so they need to join
   the NetSec WG
   -

   Clint pointed out questions/comments must be on the list so you have to
   join the group and list in order to participate in the review, while
   everyone can view the discussion on the list, so IP remains under NetSec WG
   -

   General agreement that this solves the concern if all comments must be
   done on the NetSec WG list
   -

   Tim and Ben agreed this approach to including other WG in the discussion
   is good, Ben will take the proposal back and rewrite to reflect this
   discussion
   -

   Clint asked for other discussion topics
   -

      no response
      -

   Clint raised that there are backlog items to tackle
   -

   Prachi agreed to take defining "PKI system" onboard
   -

   Clint asked if anyone else wants to take on other backlog issues
   -

      can we define risk assessment?
      -

      Daniel agreed to pull some defining into the work currently underway
      -

   Agreed to cancel next meeting due to American Thanksgiving
   -

      Ben to cancel meeting, Clint to send announcement
      -

   Ended at 19:33 UTC


Action items

   -

   Ben will rewrite the charter ballot based on this conversation
   -

   Dan (with Trev and David) will work on the Risk assessment
   -

   Prachi will start next week on the PKI system definition ballot


-- 


*Daniel Jeffery* | TLS
fastly.com | @fastly <https://twitter.com/fastly> | LinkedIn
<http://www.linkedin.com/company/fastly>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20211109/a4ae4e94/attachment-0001.html>