CA/Browser Forum
Home » All CA/Browser Forum Posts » 2022-03-01 Minutes of the Network Security Working Group

2022-03-01 Minutes of the Network Security Working Group

NetSec Working Group – March 1, 2022

Attendees:

  • Antti Backman
  • Ben Wilson
  • Brittany Randall
  • Bruce Morton
  • Clint Wilson
  • Corey Bonnell
  • Daryn Wright
  • Don Sheehy
  • Dustin Hollenback
  • Jillian Karner
  • Joanna Fox
  • Jozef Nigut
  • Kati Davids
  • Niko Carpenter
  • Prachi Jain
  • Pedro Fuentes
  • Rebecca Kelley
  • Ruben Anne
  • Ryan Dickson
  • Tim Crawford
  • Tobias Josefowitz
  • Trevoli Ponds-White
  • Tyler Myers
  • Christophe Bonjean

1. Read Antitrust Statement

Clint Wilson read the antitrust statement.

  1. Roll Call

Clint Wilson read the roll.

3. Review Agenda

No changes were made to the agenda.

4. Approval of Minutes from last meeting No objections. Minutes were approved from Feb-15th call.

5. Discussion around definitions of zones

Ben mentioned that there are 2 issues that can be separated out – one is the issue of zones and other is the term ‘high security zone’ (offline high security CA physical environment). There has been some pushback around this term. Ben talked about the different tiers/zones/layers of security. Trev re-iterated why we wanted to get rid of the term ‘zones’. Initial criticism is that some people think that a high security zone details some minimum security requirements but it doesn’t do so in the NSRs. Further discussions were done regarding how to fix this. Trev mentioned there hasn’t been a broad opposition to removing either of the zones terms (except one person). Clint clarified the problem statement is that the NSRs don’t actually impose any security requirements on the HSMs and how they are used, stored and managed. The proposed fix is to replace and provide new definitions and terminologies around how HSMs are managed and connected. Trev clarified that we are not proposing new terms but trying to remove the ‘high security zone’ term since it is being used in different ways in different places in the NSRs. The idea is to replace them with the detailed sentence instead of using that term to clarify what we mean. Clint further added that it is definitely a very worrisome problem statement. Trev brought up the air gapped ballot (https://lists.cabforum.org/pipermail/netsec/2020-November/000420.html) Tim Crawford clarified that the initial issue was that right now everything applies to offline environments which shouldn’t be the case and we should separate out the controls around offline environments. Ben mentioned that we should create separate ballots for all these issues. Brittany Randall supported the change. Trev mentioned that Ben should resurface the old ballot where we replace all the zones/high security zones with the whole sentence. It was also mentioned that the criticism was that we are lowering the security by removing that term and by just replacing it with its definition. Ben went through the old air-gapped ballot and shared all the changes.

Dustin Hollenback asked what was the pushback in the past and Ben explained how striking out ‘high security zone’ was being considered as a step backwards in terms of security. There was general agreement that there is a need to define physical security for offline roots. Clint suggested that it would be beneficial to have ‘physically secure environment’ as a defined term. There was further discussion around the past comments and how to address those. A proposal for changes to BR section 5 was discussed around improving the logical and physical security.

At the end, we have 3 draft ballots currently – one draft ballot around ‘high security zones’, another one to address the lack of definition of air gapped or what it entails and what’s required for something to be considered as air gapped and last one to introduce improved definitions around logical and physical controls. Brittany added some comments around air gapped systems monitoring.

Corey added that in the BRs there is a requirement for the CA to log all entries and exit from a secure zone and that encompasses logging of any kind of physical access. Further discussion was done around logging physical access. Final outcome was that Ben will draft a small initial ballot addressing high security zone and offline root CA key protection physical security.

7. Any Other Business

None

9. Next call:

March 15th, 2022

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).