[cabf_netsec] Minutes from the Network Security Subcommittee meeting 2021-08-31

Dustin Hollenback Dustin.Hollenback at microsoft.com
Thu Sep 2 22:09:53 UTC 2021

Hello all,

Here are the draft minutes from the meeting on Tuesday.



Anti-trust statement

  *   Ben Wilson (Mozilla) read the anti-trust statement


  *   Ali Gholami (Telia Company)
  *   Ben Wilson (Mozilla)
  *   Brittany Randall (GoDaddy)
  *   Clint Wilson (Apple)
  *   Corey Bonnell (DigiCert)
  *   Daniel Jeffery (Fastly)
  *   David Kluge (Google Trust Services)
  *   Dustin Hollenback (Microsoft)
  *   Janet Hines (SecureTrust)
  *   Kati Davids (GoDaddy)
  *   Niko Carpenter (SecureTrust)
  *   Prachi Jain (Fastly)
  *   Quan Nham (Fastly)
  *   Tim Crawford (BDO)
  *   Tobias Josefowitz (Opera)
  *   Trevoli Ponds-White (Amazon Trust Services)
  *   Tyler Myers (GoDaddy)

Minute Taker

  *   Dustin Hollenback (Microsoft)

Approve Previous Minutes

  *   2021-Aug-17 minutes approved

New NetSec Subcommittee Leadership

  *   Ben Wilson (Mozilla) proposed that we set the officers
     *   Clint Wilson (Apple) Chair
     *   David Kluge (Google Trust Services) 1st Vice Chair
     *   Dustin Hollenback (Microsoft) 2nd Vice Chair
     *   There were no objections.

WebEx Access

  *   Clint Wilson (Apple), David Kluge (Google), and Ben Wilson (Mozilla) have host access and can start future meetings

Possible Change to Subcommittee Meeting Time

  *   As of now, all participation is from North America and Europe
  *   Clint Wilson (Apple) mentioned that all of the other meeting times are at either 7 a.m. or 8 a.m. Pacific time and that the current meeting time slot may be late for members joining from Europe
  *   For primary meeting, Clint Wilson (Apple) will send a Google Doodle for members to vote on potential new days/times on Monday and Tuesday. There was strong pushback about scheduling a Friday meeting.

Discussion about Future of Sub-Groups and Break-out Sessions

  *   Clint Wilson (Apple) asked if we should continue to have dedicated sub-group meetings or if we should use part of the time for the Subcommittee meeting and setup break-out sessions where smaller groups can focus on specific topics at the same time.
  *   Ben Wilson (Mozilla) mentioned that some people like to be involved in everything. Different meetings allow those people to participate in everything.
  *   Trevoli Ponds-White (Amazon Trust Services) suggested instead of permanent distinct sub-groups, that we have short duration sub-groups that accomplish a specific thing. In this case, we would set pre-determined meetings for consistency, but we would assign particular topics to that time slot until the activity is completed and re-use future meetings in that time slot for the next important topic. This will require more time management. We made a lot of good progress on the point points, but this approach could allow us to make progress on smaller parts.
  *   Ben Wilson (Mozilla) agreed. Cloud services may be the only topic that may continue to meet permanently with a set timeframe. He likes the idea of breaking out smaller topics and prioritizing a particular concern at that time.
  *   Clint Wilson (Apple) wanted to know what are the priority topics.
  *   Trevoli Ponds-White (Amazon Trust Services) suggested that we just focus on setting a few meeting times now and then we can decide how to fill them later. Once we have a good meeting time, the easier part will be to change the meeting topic. Trev wanted to get feedback from David Kluge (Google Trust Services).
  *   David Kluge (Google Trust Services) said that he was OK with re-using the existing Monday time slot for other topics instead of only Cloud Services. He was only concerned that we continue to focus on the areas of improvement that were identified in the Cloud Services sub-group.
  *   Trevoli Ponds-White (Amazon Trust Services) felt like the Cloud Services area has hit a wall. There are still improvements to Network Security Requirements needed first that will benefit cloud services.
  *   Daniel Jeffery (Fastly) agreed that cloud services has hit a wall. He agreed on setting times, then defining what to discuss in each one over time. He proposes that the main meeting is a sum-up and agreement meeting, but primary work is all performed in the other sub-group or task-specific meetings.
  *   Clint Wilson (Apple) mentioned that we still have somewhat similar topics as we've had in the past. An example is the document structure (re-writing document). Focus areas have been clarifying ambiguities and removing duplicate requirements or language that are part of the NCSSRs, but are not PKI specific. This includes removing requirements where the Forum members may not be the experts.
  *   Trevoli Ponds-White (Amazon Trust Services) mentioned that we should reference meeting existing industry standards instead of writing our own. As an example, sections of the Baseline Requirements are empty or have limited details. Vulnerability management is a good first example where we can point to a different standard.
  *   Daniel Jeffery (Fastly) said that a previous meeting discussed existing security standards that would be better to point to. The goal should be to avoid re-creating a standard and instead reference an existing standard that can be used by all forum members and then focusing on any differences or gaps in those standards that impact Web PKI. Daniel mentioned that different standards may not be applicable or allowed in different countries.
  *   Dustin Hollenback (Microsoft) asked what is the action item is for determining which standards could be leveraged.
  *   Daniel Jeffery (Fastly) suggested that we use a dedicated breakout meeting to discuss. If anyone wants to research beforehand, it would be helpful. Daniel mentioned that different standards may not be applicable or allowed in different countries and we need the standard to be usable for every member.
  *   The group collectively mentioned several potential programs such as: National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), Payment Card Industry (PCI), System and Organization Controls (SOC), International Organization for Standardization (ISO), or Federal Risk and Authorization Management Program (FedRAMP).
  *   Brittany Randall (GoDaddy) agreed that it is better to reference/benchmark against existing industry standards where we are not the experts. As we potentially point to a different standard, it could mean that an additional audit could be required. It's also important to ensure that it can work for all countries. We could even identify where we need exceptions to the standard.
  *   Daniel Jeffery (Fastly) mentioned that the key piece is that we clearly identify the things that Web PKI needs. We can create an overlay that points to a solid regulatory framework as the baseline.
  *   Brittany Randall (GoDaddy) mentioned that some of the frameworks require internal audits. There could potentially be additional 3rd party attestation.
  *   David Kluge (Google Trust Services) mentioned that this was where the cloud services sub-group started. There were industry requirements and an overlay of the PKI-specific differences. David referenced the following document that a group on his team prepared as part of that previous discussion. https://docs.google.com/spreadsheets/d/10mQ94Lzjd_qy_DeIpXQl3CpEGVzY5ISqr67BE8CZb3o/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fspreadsheets%2Fd%2F10mQ94Lzjd_qy_DeIpXQl3CpEGVzY5ISqr67BE8CZb3o%2F&data=04%7C01%7CDustin.Hollenback%40microsoft.com%7C992a0a93259a4d0cf0f808d96cfbe7e1%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637660651475532065%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=q2yN5lEN7XDoBUrrTEkyhfgYLO0DKHfP6%2FulUVub%2Fks%3D&reserved=0>
  *   Clint Wilson (Apple) asked if there were specific standards that appeared to be more likely to be used.
  *   David Kluge (Google Trust Services) mentioned that the ETSI standard was the most relevant. An interesting observation is that the NCSSRs do not cover very many subjects. Preserving the status quo is not the safest option. The safest option is to clarify ambiguities and close gaps. There are architectural limitations imposed by current NCSSRs based on ambiguities and that they were based on an older technological vision.
  *   There were discussions about David's document and that it helps highlight all of the things that are not currently covered by in the NCSSRs today. These gaps have left vagueness where different CAs will implement differently and interpretation has been left to the auditors.
  *   Clint Wilson (Apple) asked if the review of NCSSRs has a lot of overlap with the Cloud Services work or if they should be done as separate activities.
  *   David Kluge (Google Trust Services) said that there is probably a lot of overlap. Once we find a standard to reference, the incremental changes will probably be fairly small. That might solve most of impediments to using cloud providers. 3rd party audit still needs to be solved.
  *   Clint Wilson (Apple) recapped the outcome.... we'd shift focus away from Cloud Services and have a task force that looks at scope. He asked if scoping should be the primary focus for NetSec. Everyone that provided input agreed that scoping should be our man focus. Clint asked where what standards we should look at closer.
  *   Ben Wilson (Mozilla) suggested that we look at the different standards and decide what do we want to do with specificity of requirements versus frameworks that are not as specific. If we adopt a framework, we are telling CAs that the things expected in that framework are completed, but we are not looking at the specifics. We would expect that you are meeting those requirements by getting the certification.
  *   Brittany Randall (GoDaddy) mentioned that some of these other audits have different timelines, such as every 3 years. This brings up some tactical things that would need to be addressed.
  *   Daniel Jeffery (Fastly) thinks we should focus on the standard. Some standards are very specific and prescriptive about how things should be setup and it is more difficult. He thinks that we should be more specific.
  *   Trevoli Ponds-White (Amazon Trust Services) suggested compiling the larger list and then creating pros/cons list to determine which are PKI specific and do we care about the gaps in NCSSRs. And, determine when standards introduce requirements that we do not want. An example is the PCI password policy, which is something Trevoli does not think we should keep. In that example, we could say we want PCI, but not the password policy. This will help determine if we can just link to standards or if we need to copy sections into the NSSRs. Once we get very specific requirements, we'll need to notify the broader group to warn everyone so they can start thinking about what impact this would have.
  *   Clint Wilson (Apple) agreed that the subcommittee would need to perform a lot of the assessment before it gets to the Server Certificate Working Group.
  *   There was more discussion about how this could cause architectural changes to meet any new prescriptive requirements. We will determine more information once we create a pros/cons list and narrow down the potential standards to implement. We'll use this next meeting to discuss in more detail.

Final thoughts

  *   Clint Wilson (Apple) will send the Doodle poll to determine a new meeting time
  *   For the next meeting, we'll discuss in-progress ballots
  *   A few members will look at standards before the next meeting to start the pros/cons list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20210902/8c580a31/attachment-0001.html>

More information about the Netsec mailing list