The following minutes were approved in the February 1, 2022 meeting of the NetSec WG.
Net Sec WG – 1st Meeting – Jan. 18, 2022
Present: Ben Wilson – Mozilla, Don Sheehy – WebTrust, Dustin Ward – SSL.com, Martijn Katerbarg – Sectigo, Thomas Connelly – Federal PKI, Brittany Randall – GoDaddy, Clint Wilson – Apple, Kati Davids – GoDaddy, Samantha Frank – Let’s Encrypt, Corey Bonnell – DigiCert, Israel Ventura – Federal PKI, Tim Crawford – WebTrust, Wendy Brown – Federal PKI, Antti Backman – Telia, Jillian Karner – Let’s Encrypt, Prachi Jain – Fastly, Trevoli Ponds-White – Amazon Trust Services, Jozef Nigut – Disig, Christophe Bonjean – GlobalSign, Tobias Josefowitz – Opera, Daniel Jeffery – Fastly, Dustin Hollenback – Microsoft, Janet Hines – SecureTrust, Daryn Wright – GoDaddy, Miguel Sanchez – Google, Adam Jones – Microsoft, Rebecca Kelley – Apple, Tony Seymour – Comsign, Tim Hollebeek – DigiCert, Dean Coclin – DigiCert, Corey Rasmussen – OATI, Ruben Annemans – GlobalSign, Adam Jones – Microsoft, David Kluge – Google, Israel Ventura – Federal PKI
Ben – while Microsoft and Google haven’t declared participation yet, they should be allowed to listen in on this meeting as guests.
Antitrust statement: Read by Clint
Ben read through Dean’s email on the initial agenda.
Initial Membership List
Clint read through the list of members who have declared their participation. Ben said that all appear to qualify.
The list was adopted unanimously.
Clint was proposed as the NetSec chair.
That motion passed unanimously
Official selection of the vice chair was postponed, as has been done previously in the SMIME and Code Signing WGs.
Ben was selected as Webmaster.
Adoption of the NCSSRs
The NCSSRs will need to be adopted by ballot. Tim H., Clint, and Ben will create one.
NetSec subcommittee of the Server Certificate WG
The Server Certificate WG will need to determine what it wants to do with its NetSec subcommittee.
Risk Assessment Work
Daniel Jeffery discussed the work on Risk Assessment. We have been working on creating a Risk Assessment to inform changes to the NCSSRs. It was proposed and accepted without objection that this work should continue.
Other Goals and Deliverables
Clint opened the floor for discussion of any other goals or deliverables. Clint said the NCSSRs are good, but we need to improve structure and specificity. Trev agreed that we need to continue to identify gaps. For instance, vulnerability scanning and the requirement that there are only 96 hours to address a critical vulnerability.
Dan noted previous discussions we’ve had about what the NCSSRs should cover- i.e. best practices for PKI separate from some other common criteria from another security standard. Do we adopt a PKI overlay? What other audit criteria can we use? Clint said we can leverage where we have PKI expertise.
Don noted that WebTrust included security criteria based on ISO. He noted that WebTrust previously gave auditors’ feedback to the original NCSSRs. Ben said he could dig out that input if anyone is interested.
Ben said that separate guidance could be prepared in the form of a desk book for the NCSSRs.
Trev said we could pick up work on offline and air-gapped CAs and decide where to put it and how it should look. Clint said that we could address “zones” in the NCSSRs. Trev said we would address what is a physically secure zone and its logical equivalent.
Clint noted that we are setting up GitHub to track issues and place tags on work we’ll do on the NCSSRs.
Ben noted that we have to get the Charter up on GitHub.
We’ll have to update membership records on the Google sheet.
We discussed resetting our meeting time, currently 11 Pacific on Tuesdays.
Bruce had suggested Wednesdays. We’ll send out a Doodle poll to see the best time for the call.