[cabf_netsec] Minutes of NetSec WG - March 29, 2022

Clint Wilson clintw at apple.com
Wed Apr 27 14:41:39 UTC 2022


The following minutes were approved in the April 26, 2022 meeting of the NetSec WG:

2022-03-29 | CABF NetSecWG Minutes
Attendees: Adam Jones, Antti Backman, Ben Wilson, Brittany Randall, Bruce Morton, Clint Wilson, Corey Bonnell, Daniel Jeffery, Daryn Wright, David Kluge, Dustin Hollenback, Inigo Barreira, Jillian Karner, Joanna Fox, Jozef Nigut, Kiran Tumala, Marcelo Silva, Pedro Fuentes, Rebecca Kelley, Ruben Annemans, Thomas Connelly, Tim Crawford, Tobias Josefowitz, Tony Seymour, Trevoli Ponds-White

Minutes
Clint Wilson reads anti-trust statement, verifies recording
Dan Jeffery volunteers to take minutes
Approval of last meeting minutes
Settled on Wednesday 9am Pacific time for this meeting
Discussion of Ben's progress on better defining offline and high security zones
Ben asked us to follow up with him during the week to help him stay focused
Clint offered to ping later in the week
Transition to discussing the risk assessment work
Dan presents current progress
green striped the new assets tab
discussed environment definitions
discussed the structure of the tabs now
explanation of the concept of green-striped tabs
next tab to focus is the scoring explanations tab
Discussion of whether we should do further work here
Marcello asks a question as to whether root CA and offline CA should be different assessments
Clarification that root CA and offline CA will be the same
Call for questions
Clint identifies some internal resources would be happy to engage and help us refine the risk assessment, when should we do that
once we have green stripes done would be one good point, once we have the offline/root CA done would be another good point
probably within the next week or two
discussion of how that will be done, Clint will see how they want to do it
David points out that there has been little progress on filling out scenarios that people had volunteered to look at
can we pick what to focus on
look at the doc and find the pages
David looks over the items and suggests picking one
Some discussion of which to pick with Trev, David and Dan
Trev will take an unassigned category tomorrow
Trev points out we don't have anything else today
Agree to discuss the assets tab right now since it's 'done'
quick recap of what green stripe/done means
Sharing of assets tab and discussion of how we got to this list
Take five minutes to let everyone read over the current assets
Marcello raises concern with the data transfer capabilities and underlying software assets covering too much and us missing things
Trev and Dan responds and long discussion with Marcello about why the categories are organised as they are
Marcello agrees to make a comment on items on how he thinks they could be broken up so we can review them
Trev suggests putting a comment on the column heading to explain the contents and purpose better
Marcello raises line 21 to understand why registration is with OCSP and CRL
explain the grouping as to why they are set up how they are (to reflect the types of risks and exposure the things in the environment are exposed to)
Further question and discussion of the meaning of the OCSP, CRL registration environment
discussion of how to best represent the environments and transitions between them
discussion of line 9 and where data is included at
should we have a different environment for transitions between environments
discussion of recombining software fields
Clint calls time and agreement to continue discussion in tomorrow's working group meeting.
participants invited to formulate their thoughts and suggestions for that meeting
Call ended 2 minutes after the hour.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20220427/845a87c4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20220427/845a87c4/attachment-0001.p7s>


More information about the Netsec mailing list