[cabf_netsec] Meeting Minutes 01/31

[Prachi Jain]

Hello,


Please find below the minutes for the 31st January NetSec Meeting.


*CA/Browser Forum NetSec Meeting*


*Attendance:*

Adam Jones - Microsoft

Ben Wilson - Mozilla
Bruce Morton -Entrust

Corey Bonnell - DigiCert
Clint Wilson -Apple

Corey Rasmussen - OATI

Daryn Wright - GoDaddy

Inigo Barreira - Sectigo

Jozef Night -Disig
Marcelo Silva - Visa

Prachi Jain - Fastly

Rebecca Kelley - Apple

Rollin Yu - TrustAisa
Ruben Annemans - GlobalSign
Ryan Dickson
Tobias Josephwitz Opera
Trevoli -Amazon Trust Services

Wendy Brown - FPKI



*Minutes:*

*1. Read Antitrust Statement*

Clint Wilson read the antitrust statement


*2.   Roll Call*

Manual roll call was done.

3. *Note from Chair *
Clint mentioned that a new Webex account was created that could be shared
across all chairs and vice-chairs. The Netsec meeting has been moved to the
new account and the new link has been sent. Clint will resend it for
clarity.


*3.   Agenda*

a. Minutes of the last meeting 01/03 were approved.

b. Minutes from both the F2F in Berlin and 12/06/2022 meetings were
approved as well.

(No new agenda items added.)

c. *Discussion of red-line document of the NetSec requirements*

Ben gave an overview of last call and work since then. Last call we mainly
focused on section 3, logging and alerting. Comments were taken from the
minutes and added to number#1,2 and 3 sub sections. We started on #4 but
didn’t finish.


Trevoli asked what are we exactly doing to which Ben replied that we are
writing a high level objective of the whole section ( 4 general sections).
Clint added it’s an introductory statement that helps us define the goals
that we have for the sections. Trevoli asked for section 1, is this the
description the current reality or the goal of what we think the
requirements should be changed to. Daryn Wright answered that it’s probably
a little bit of both and we are trying to put together guiding principles
of what we want. Clint added that there should be some reflection of
reality. Trevoli further asked in section 1 (General Protections for the
network and supporting systems), if the email in this section refers to
general email or the one you use for validation types. Clint said that it’s
talking about the SMIME, code signing and TLS working group in the forum.
Marcelo made a comment regarding the language of the document like using
‘it is expected’ vs ‘we expect’. Ben and Marcelo had some discussion around
it and updated the language accordingly.

Wendy Brown added that she is unsure if delivery of the code is not quite
symmetrical with others but maybe it shows integrity of the code. Ben
further added around how we can talk about security, integrity and
availability and Wendy pointed that it has nothing to do with availability.

Ben added if a CA is compromised then all of its certs will be revoked and
then the internet is not available. Trevoli added that it depends if it
checks certificate status or not but there will be problems. Trev added how
the last few known PKI outages had zero to do with their security. Wendy
said that certificates play a vital role in the security of the internet
systems and email and demonstrates integrity of the application code. Also
change the day to certificates issued because it’s not the CA that’s
playing the vital role but it’s what they are issuing is playing the vital
role. Trevoli further added that when you get into the change management
process, you can lump that into security as well. You can secure systems
but when you get into practices and policies, there is an aspect of the
development process. Ben added that there is another aspect here of whether
general protections of the network and supporting systems should be moved
further up. Trevoli commented that logging and monitoring is also part of
the infrastructure plus patch management. Further discussion was done
around where to move the section and what should come in its place.

Clint suggested that we either move the section right after introduction or
keep it as is and expand it with another sentence. Trevoli agreed. There
was some further discussion among Clint and Trevoli around how section 1 is
currently read and how infrastructure encompasses all 4 sections.

Wendy added that she reads the section as about access and maintenance.
Trevoli and Clint added that yes it does include some of the access things
which look randomly thrown in there. Clint said that there is an
expectation that CA initially define and implement these runbacks but that
they also maintain them to a high level of current and ever resolving
security expectations. Ben asked let’s nail down this section. Trevoli said
that policies should define the security controls and how they are
implemented. But further that a more important part of this would be to
break this up into several sentences and say something like, must define
and maintain practices to limit access so that the systems are better off
for each individual item, because that will be better than just summarizing
the section. Clint agreed and said that yes, the idea is what we expect to
accomplish by setting these requirements, what is the expected outcome. Ben
asked when we say define and  maintain practices, are we saying about
maintaining policies and procedures. Tobias said that we need to take a
step back. Most if not all CA has defined practices and for example
Diginotar definitely had documented and defined practices like network
segregation that they had implemented. The faults and exploitation were not
with the defined practices at all because what they wanted to achieve was
not wrong but they failed to do so. We expect some sort of excellence from
all the CA in all the areas which is a great responsibility. Wendy added
that what we are trying to do is define an overarching goal and then each
of the bullets below should be specifics of it. Ben said that we have to
make the statement not only baseline but also sort of aspirational. Trevoli
and Clint agreed. The outcome should be that the CAs cannot be compromised.
Wendy added about CA keys as well. Clint said that another outcome could be
that the CAs can identify any anomalous event that occurs in their
infrastructure, also encompassing that they can perform in-depth analysis
of the same. Trev liked Clint’s ideas and shared her thoughts around the
same. Configuring the CA in such a way that your systems are resilient to
internal actors and unintentional mistakes. Ben made the updates in the doc
accordingly. Protection against external threat actors but also internal
ones and just mistakes made by the human component. Ben said that mistakes
are included in the internal threats. Intent is a threat and outcome is CAs
should account for mistakes. More brainstorming was done around components
of the introductory system.  Tobias and Wendy said that the CAs should be
resilient to most things, internal or external.

Tobias added auditibility as an outcome. Trev added that systems should
produce sufficient artifacts to enable investigation of anomalous events.
Further brainstorming around the wording of the outcomes was done.

Clint said that he will resend the invite or an email. No further business.

Next meeting at F2F Ottawa, Canada.


Thanks !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20230226/14e55b07/attachment.html>