Minutes for NetSec WG Oct 7, 2025
Scott Rea
Minutes for NetSecWG Call 7 Oct 2025
Attendees:
Aaron Poulsen (Amazon), Adam Jones (Microsoft), Cade Cairns (Google), Clint Wilson (Apple), Corey Bonnell (DigiCert), Corey Rasmussen (OATI), David Kluge (Google), Dustin Hollenback (Apple), Hans Metsoja (Opera), Miguel Sanchez (Google), Roman Fischer (SwissSign), Scott Rea (eMudhra), Thomas Zermeno (SSL.com), Tim Crawford (BDO), Tim Huff (Microsoft), Tobias Josefowitz (Opera)
Minutes:
Clint did note well reminding folks of bylaws, antitrust policy, IPR, and code of conduct
Scott volunteered to take minutes.
Meeting minutes for September 9, 2025 Meeting (Thomas Zermano) posted a week ago – Approved unanimously.
No IPR reviews currently, No Ballots currently.
Clint reviewed agenda for upcoming F2F which is scheduled for 11:00am local time Thursday morning for 1.5 hrs. Currently just 1 topic on the agenda – a discussion on CA Cloud Services to be led by Corey B.
Corey B plans a brief overview of current NetSec requirements for CAs and what the potential cloud service integrations could be, to be followed by more of an open mic type discussion.
Scott suggested (potentially not for F2F, but at future meetings) inviting participant cloud service providers (CSPs) to discuss security frameworks and audit processes. Aaron agreed but wanted some guardrails developed so that invited cloud service providers had specific scope of topics to present about. Miguel agreed with this approach.
Tobias suggested that we should elicit from CSPs the essence of how they convince us to trust them, because that is what CAs need to achieve when they integrate their services into their services. Concerns were raised about trust in cloud-based CA infrastructure and the adequacy of existing audit regimes. Current audits provide value but may not meet the high specificity desired by stakeholders. Audits focus on governance rather than identifying operational weaknesses and incidents. Increased reliance on audits could reduce community oversight and transparency in operations. Maintaining compliance with evolving frameworks poses challenges for organizations in the web PKI space.
David suggested we could consider review of operational data that gets written to public logs along the lines of what CT Logs accomplish – but what that set of data might be, is still a “to be determined”. Perhaps something around incident handling is the type of data to be considered.
Corey B will frame the F2F discussion more along the lines of today’s discussion.
There is a plan to invite representatives from major cloud service providers (e.g., Google, Microsoft, Amazon) for future meetings to discuss their audit regimes and how they ensure trust in their services. But first some guardrails on what topics to cover will be developed.
Meeting adjourned. Next meeting F2F on 28 October 2025.