[cabf_netsec] Draft Meeting Minutes - Tuesday, September 14, 2021

Prachi Jain pjain at fastly.com
Thu Sep 16 17:50:48 UTC 2021

Hello Everyone,

Here are the draft minutes of the meeting held on Tuesday, Sept-14-2021.





   - Ben Wilson (Mozilla)
   - Clint Wilson (Apple)
   - Corey Bonnell (DigiCert)
   - Daniel Jeffery (Fastly)
   - David Kluge (Google Trust Services)
   - Dustin Hollenback (Microsoft)
   - Janet Hines (SecureTrust)
   - Niko Carpenter (SecureTrust)
   - Prachi Jain (Fastly)
   - Quan Nham (Fastly)
   - Tim Crawford (BDO)
   - Trevoli Ponds-White (Amazon Trust Services)
   - Tyler Myers (GoDaddy)
   - Gabriel Petcu (CertSign)
   - Jose Guzman(GoDaddy)

*Anti-trust statement*

   - Clint Wilson (Apple) read the anti-trust statement

*Minute Taker*

   - Prachi Jain (Fastly)

*Approve Previous Minutes*

   - 2021-Aug-31 minutes approved

*Doodle Poll Discussion*

Clint Wilson (Apple) mentioned that as per the doodle results, the existing
time is best suited to everyone. 8 out of 11 responses are in favor of the
same timings. Decision was taken to keep the meeting as is-18:00 UTC on

*Discussion Regarding Inflight Ballots*

   1. *Ballot SC34 (not requiring manual review of inactive user accounts)
   – Trevoli Ponds-White (Amazon Trust Services)  mentioned that she has
   emailed Tobias about the same. No further updates.

   2. *Ballot SCXX - Audit Log and Archive Retention
   - Clint Wilson (Apple) mentioned that he has updated the document making
   it current to the versions 1.8 of the BRs. Major difference is a definition
   added to section 1.6. It was also mentioned that the document is now ready
   to be taken to SCWG and get a ballot number as well as sponsors. Ben
   Wilson(Mozilla) said that there is a need to ensure that everytime we add a
   definition to Network Security Requirements, that the same word is not
   defined in Baseline Requirements in order to avoid a conflict. Clint agreed
   to Ben's comment and also said that no conflicts were found in this case.
   He further showed and discussed the document. Trevoli Ponds-White (Amazon
   Trust Services)  asked for some clarification around 5.4.1 where it says
   that the *'CA and each Delegated Third Party SHALL record events related
   to the** security of their Certificate Systems,...'*. Daniel Jeffery
   (Fastly) agreed that it is unclear. Decision was made to change the
   language to ensure that it reads that '*CA and Delegated Third Party
   shall record their events...*'. Ben Wilson(Mozilla) commented about some
   of the words like 'Certificate Systems', 'Certificate Management Systems',
   'Root CA Systems' etc in 5.5.1, as a process within the network security
   subcommittee, we might end up defining some of these words because there
   has always been discussion around what they actually mean. Clint Wilson
   (Apple) mentioned that we have added pointers to the definition from NSRs
   in these sections to avoid that ambiguity. Trevoli Ponds-White (Amazon
   Trust Services) will endorse this ballot. It still needs one more endorser.
   David Kluge(Google) asked regarding section 5.1.1, if there is an intention
   to differentiate between archiving, retaining and storing, or whether they
   are all the same since they can be misunderstood. Clint clarified that it's
   fine to have two copies of the records, one in audit log storage and
   another one in the archive, as long as they are being stored for 2 years
   after the event occured. They are really speaking to the same thing. He
   also added that archive logs go a little bit further since they not only
   include audit logs but also things like validation activity etc. Trevoli
   added that usage of word archives is benign.

   3. *Ballot SCXX - Remove BR 4.1.1 (Database for Suspicious Certificate
   No major updates. Going to move forward to SCWG to get a ballot number. Ben
   Wilson(Mozilla) pointed out in that '*Forbidden, Weak, or
   Compromised Keys*' are not defined terms in BRs but are capitalized.
   Clint will verify and make the updates.

   4. *Ballot SC32 - Remove Zones
   Ben discussed the red lined version of security requirements(link
   Trevoli asked if everyone is aware of the reason why we want to remove
   zones concept. Daniel Jeffery (Fastly) said that it's an attempt to take
   out the language which does not have clear meaning and clarify the
   requirements better. Trevoli said that we were using zones interchangeably
   for physical and logical spaces. A thorough discussion was done around Ryan
   Sleevi's comments on this ballot (link
   Ben and Trevoli discussed 1.e around having boundaries between Certificate
   System and non-certificate systems. It was mentioned that it is not clear
   if there is an expectation that the certificate system has to be in a
   physically different location than non-certificate systems and what
   constitutes  physically different.  David Kluge (Google) agreed and said
   that the challenge with zones concept has always been it ties the hosting
   requirements to the business purpose and not to the actual security. Ben
   further talked about 1.e and said maybe we should think about starting from
   scratch and writing a version 2.0 for network security requirements. David
   agreed but also added that it's important to have a discussion if Ryan
   Sleevi feels that zones are central to CA infrastructure security. He also
   added that no real risk has been brought up during the past
   discussions.Trevoli agreed. Daniel chimed in and said that this goes back
   to the past conversations the netsec group have had around using an
   existing regulatory framework plus building a PKI specific overlay on it
   instead of reinventing the wheel.  Trevor said that 1.e of network security
   requirements is read as logical separation vs physical separation. Clint
   added his perspective where he read it as either physical or logical.
   Daniel added that he has implemented it in the past as a combination of the
   two. Further discussions were done around 1.e on how the language can be
   changed. David brought back the point that we need to know if there is a
   substantiated concern with this ballot. Trev suggested that we should go
   back to SCWG and ask for specific concerns on 1.e.  Daniel said that he
   feels strongly that we should move away from defining these requirements at
   all and everyone agreed to some extent. Further Trev mentioned that the
   pain points group led by David made some substantial improvements.

*Action Item: Ben will send an email to SCWG to get this ballot out in
   discussion again with the modified language. *
   5. *Ballot SC40 - Air-Gapped / Offline CAs*
   Ben Wilson (Mozilla) said that we may want to look into the past versions
   of network security requirements to find out if anything has changed with
   the principle behind air gapped CA systems. He also added the definition of
   'Principle of least privilege' as per suggestion from Microsoft. There was
   some discussion if it would make more sense to send the air-gapped ballot
   before the zones ballot.

*Closing thoughts:*
1. Since we couldn't get to the entire agenda in this meeting, we will
start with Github work in the next meeting.
2. We will continue the Cloud Security sub-group meeting.
2. Daniel Jeffery (Fastly) would like to take some time in the next Cloud
Security sub-group meeting to share his thoughts around the strategy.

Netsec mailing list
Netsec at cabforum.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20210916/5973cd4b/attachment-0001.html>

More information about the Netsec mailing list