[cabf_netsec] Draft Meeting Minutes - Tuesday, September 14, 2021
Prachi Jain
pjain at fastly.com
Thu Sep 16 17:50:48 UTC 2021
Hello Everyone,
Here are the draft minutes of the meeting held on Tuesday, Sept-14-2021.
Thanks,
Prachi
-------------------------------------------------------------------------------------------------------------
*Attendees*:
- Ben Wilson (Mozilla)
- Clint Wilson (Apple)
- Corey Bonnell (DigiCert)
- Daniel Jeffery (Fastly)
- David Kluge (Google Trust Services)
- Dustin Hollenback (Microsoft)
- Janet Hines (SecureTrust)
- Niko Carpenter (SecureTrust)
- Prachi Jain (Fastly)
- Quan Nham (Fastly)
- Tim Crawford (BDO)
- Trevoli Ponds-White (Amazon Trust Services)
- Tyler Myers (GoDaddy)
- Gabriel Petcu (CertSign)
- Jose Guzman(GoDaddy)
*Anti-trust statement*
- Clint Wilson (Apple) read the anti-trust statement
*Minute Taker*
- Prachi Jain (Fastly)
*Approve Previous Minutes*
- 2021-Aug-31 minutes approved
*Doodle Poll Discussion*
Clint Wilson (Apple) mentioned that as per the doodle results, the existing
time is best suited to everyone. 8 out of 11 responses are in favor of the
same timings. Decision was taken to keep the meeting as is-18:00 UTC on
Tuesdays.
*Discussion Regarding Inflight Ballots*
1. *Ballot SC34 (not requiring manual review of inactive user accounts)
<https://github.com/cabforum/servercert/commit/63d2d1eef357fa139eb1da96a46347db9f353148>*
– Trevoli Ponds-White (Amazon Trust Services) mentioned that she has
emailed Tobias about the same. No further updates.
2. *Ballot SCXX - Audit Log and Archive Retention
<https://github.com/cabforum/servercert/compare/main...clintwilson:SCXX---Audit-Logs-and-Records-Archives>*
- Clint Wilson (Apple) mentioned that he has updated the document making
it current to the versions 1.8 of the BRs. Major difference is a definition
added to section 1.6. It was also mentioned that the document is now ready
to be taken to SCWG and get a ballot number as well as sponsors. Ben
Wilson(Mozilla) said that there is a need to ensure that everytime we add a
definition to Network Security Requirements, that the same word is not
defined in Baseline Requirements in order to avoid a conflict. Clint agreed
to Ben's comment and also said that no conflicts were found in this case.
He further showed and discussed the document. Trevoli Ponds-White (Amazon
Trust Services) asked for some clarification around 5.4.1 where it says
that the *'CA and each Delegated Third Party SHALL record events related
to the** security of their Certificate Systems,...'*. Daniel Jeffery
(Fastly) agreed that it is unclear. Decision was made to change the
language to ensure that it reads that '*CA and Delegated Third Party
shall record their events...*'. Ben Wilson(Mozilla) commented about some
of the words like 'Certificate Systems', 'Certificate Management Systems',
'Root CA Systems' etc in 5.5.1, as a process within the network security
subcommittee, we might end up defining some of these words because there
has always been discussion around what they actually mean. Clint Wilson
(Apple) mentioned that we have added pointers to the definition from NSRs
in these sections to avoid that ambiguity. Trevoli Ponds-White (Amazon
Trust Services) will endorse this ballot. It still needs one more endorser.
David Kluge(Google) asked regarding section 5.1.1, if there is an intention
to differentiate between archiving, retaining and storing, or whether they
are all the same since they can be misunderstood. Clint clarified that it's
fine to have two copies of the records, one in audit log storage and
another one in the archive, as long as they are being stored for 2 years
after the event occured. They are really speaking to the same thing. He
also added that archive logs go a little bit further since they not only
include audit logs but also things like validation activity etc. Trevoli
added that usage of word archives is benign.
3. *Ballot SCXX - Remove BR 4.1.1 (Database for Suspicious Certificate
Requests)*:
<https://github.com/cabforum/servercert/compare/main...clintwilson:ctw-2_add-persistent-ca-services>
No major updates. Going to move forward to SCWG to get a ballot number. Ben
Wilson(Mozilla) pointed out in 6.1.1.3 that '*Forbidden, Weak, or
Compromised Keys*' are not defined terms in BRs but are capitalized.
Clint will verify and make the updates.
4. *Ballot SC32 - Remove Zones
<https://docs.google.com/document/d/1Xlbg-0Hg1A3Px1Gj8XCQFSal5V_84hBjtVwohbXqiqM/edit>-*
Ben discussed the red lined version of security requirements(link
<https://docs.google.com/document/d/1c4_4axIV34pXWsb0BBjGaI7NLJ-PQcq1/edit>).
Trevoli asked if everyone is aware of the reason why we want to remove
zones concept. Daniel Jeffery (Fastly) said that it's an attempt to take
out the language which does not have clear meaning and clarify the
requirements better. Trevoli said that we were using zones interchangeably
for physical and logical spaces. A thorough discussion was done around Ryan
Sleevi's comments on this ballot (link
<https://lists.cabforum.org/pipermail/servercert-wg/2020-June/002033.html>).
Ben and Trevoli discussed 1.e around having boundaries between Certificate
System and non-certificate systems. It was mentioned that it is not clear
if there is an expectation that the certificate system has to be in a
physically different location than non-certificate systems and what
constitutes physically different. David Kluge (Google) agreed and said
that the challenge with zones concept has always been it ties the hosting
requirements to the business purpose and not to the actual security. Ben
further talked about 1.e and said maybe we should think about starting from
scratch and writing a version 2.0 for network security requirements. David
agreed but also added that it's important to have a discussion if Ryan
Sleevi feels that zones are central to CA infrastructure security. He also
added that no real risk has been brought up during the past
discussions.Trevoli agreed. Daniel chimed in and said that this goes back
to the past conversations the netsec group have had around using an
existing regulatory framework plus building a PKI specific overlay on it
instead of reinventing the wheel. Trevor said that 1.e of network security
requirements is read as logical separation vs physical separation. Clint
added his perspective where he read it as either physical or logical.
Daniel added that he has implemented it in the past as a combination of the
two. Further discussions were done around 1.e on how the language can be
changed. David brought back the point that we need to know if there is a
substantiated concern with this ballot. Trev suggested that we should go
back to SCWG and ask for specific concerns on 1.e. Daniel said that he
feels strongly that we should move away from defining these requirements at
all and everyone agreed to some extent. Further Trev mentioned that the
pain points group led by David made some substantial improvements.
*Action Item: Ben will send an email to SCWG to get this ballot out in
discussion again with the modified language. *
5. *Ballot SC40 - Air-Gapped / Offline CAs*
<https://docs.google.com/document/d/1cnb1JNuckOjo5UbQdWVtU5t-PpS2HLt7/edit>
:
Ben Wilson (Mozilla) said that we may want to look into the past versions
of network security requirements to find out if anything has changed with
the principle behind air gapped CA systems. He also added the definition of
'Principle of least privilege' as per suggestion from Microsoft. There was
some discussion if it would make more sense to send the air-gapped ballot
before the zones ballot.
*Closing thoughts:*
1. Since we couldn't get to the entire agenda in this meeting, we will
start with Github work in the next meeting.
2. We will continue the Cloud Security sub-group meeting.
2. Daniel Jeffery (Fastly) would like to take some time in the next Cloud
Security sub-group meeting to share his thoughts around the strategy.
_______________________________________________
Netsec mailing list
Netsec at cabforum.org
https://lists.cabforum.org/mailman/listinfo/netsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20210916/5973cd4b/attachment-0001.html>
More information about the Netsec
mailing list