[cabf_netsec] Minutes of 1st Meeting of NetSec WG (January 18, 2022)

Clint Wilson clintw at apple.com
Wed Feb 2 16:16:27 UTC 2022

The following minutes were approved in the February 1, 2022 meeting of the NetSec WG.

Net Sec WG - 1st Meeting - Jan. 18, 2022

Present:  Ben Wilson - Mozilla, Don Sheehy - WebTrust, Dustin Ward - SSL.com <http://ssl.com/>, Martijn Katerbarg - Sectigo, Thomas Connelly - Federal PKI, Brittany Randall - GoDaddy, Clint Wilson - Apple, Kati Davids - GoDaddy, Samantha Frank - Let's Encrypt, Corey Bonnell - DigiCert, Israel Ventura - Federal PKI, Tim Crawford - WebTrust, Wendy Brown - Federal PKI, Antti Backman - Telia, Jillian Karner - Let's Encrypt, Prachi Jain - Fastly, Trevoli Ponds-White - Amazon Trust Services, Jozef Nigut - Disig, Christophe Bonjean - GlobalSign, Tobias Josefowitz - Opera, Daniel Jeffery - Fastly, Dustin Hollenback - Microsoft, Janet Hines - SecureTrust, Daryn Wright - GoDaddy, Miguel Sanchez - Google, Adam Jones - Microsoft, Rebecca Kelley - Apple, Tony Seymour - Comsign, Tim Hollebeek - DigiCert, Dean Coclin - DigiCert, Corey Rasmussen - OATI, Ruben Annemans - GlobalSign, Adam Jones - Microsoft, David Kluge - Google, Israel Ventura - Federal PKI

Ben – while Microsoft and Google haven't declared participation yet, they should be allowed to listen in on this meeting as guests. 

Antitrust statement: Read by Clint

Agenda discussed.

Ben read through Dean's email on the initial agenda.

Initial Membership List

Clint read through the list of members who have declared their participation. Ben said that all appear to qualify.

The list was adopted unanimously.


Clint was proposed as the NetSec chair.

That motion passed unanimously

Official selection of the vice chair was postponed, as has been done previously in the SMIME and Code Signing WGs. 

Ben was selected as Webmaster.

Adoption of the NCSSRs

The NCSSRs will need to be adopted by ballot.  Tim H., Clint, and Ben will create one.

NetSec subcommittee of the Server Certificate WG

The Server Certificate WG will need to determine what it wants to do with its NetSec subcommittee.

Risk Assessment Work

Daniel Jeffery discussed the work on Risk Assessment.  We have been working on creating a Risk Assessment to inform changes to the NCSSRs. It was proposed and accepted without objection that this work should continue. 

Other Goals and Deliverables

Clint opened the floor for discussion of any other goals or deliverables. Clint said the NCSSRs are good, but we need to improve structure and specificity. Trev agreed that we need to continue to identify gaps.  For instance, vulnerability scanning and the requirement that there are only 96 hours to address a critical vulnerability.

Dan noted previous discussions we’ve had about what the NCSSRs should cover- i.e. best practices for PKI separate from some other common criteria from another security standard. Do we adopt a PKI overlay? What other audit criteria can we use?  Clint said we can leverage where we have PKI expertise.

Don noted that WebTrust included security criteria based on ISO. He noted that WebTrust previously gave auditors’ feedback to the original NCSSRs. Ben said he could dig out that input if anyone is interested.  

Ben said that separate guidance could be prepared in the form of a desk book for the NCSSRs.

Trev said we could pick up work on offline and air-gapped CAs and decide where to put it and how it should look.  Clint said that we could address "zones" in the NCSSRs. Trev said we would address what is a physically secure zone and its logical equivalent.

Clint noted that we are setting up GitHub to track issues and place tags on work we’ll do on the NCSSRs.

Ben noted that we have to get the Charter up on GitHub. 

We’ll have to update membership records on the Google sheet.

Meeting Schedule

We discussed resetting our meeting time, currently 11 Pacific on Tuesdays.

Bruce had suggested Wednesdays. We’ll send out a Doodle poll to see the best time for the call. 

Meeting adjourned.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20220202/0480bf53/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20220202/0480bf53/attachment.p7s>

More information about the Netsec mailing list