Draft Minutes for NSWG 2025-09-23
Luis Cervantes
**Draft Minutes for NSWG 2025-09-23**
**Attendees:**
Aaron Poulsen (Amazon), Adam Jones (Microsoft), Ben Wilson (Mozilla), Cade Cairns (Google), Clint Wilson (Apple), Corey Rasmussen (OATI), David Kluge (Google), Jozef Nigut (Disig), Luis Cervantes (SSL.com), Miguel Sanchez (Google), Matthew McPherrin (ISRG), Nate Smith (GoDaddy), Roman Fischer (SwissSign), Rollin Yu (TrustAsia), Scott Rea (eMudhra), Tathan Thacker (IdenTrust), Tim Huff (Microsoft), Tobias Josefowitz (Opera)
**Minutes:**
1. Notewell read (Clint)
2. Minutes – Luis Cervantes (SSL.com)
3. Topics:
Clint reviewed topics discussed in the last couple weeks such as AI, governance of the use of AI and the impact of AI. Also talked about some F2F topics where Corey had volunteered to put together a presentation around cloud services and looking at parts of the CA infrastructure that can be moved to the cloud. There was a F2F topic added at the Forum level to discuss the rate of change in the CAB Forum and added a resources collection document for AI governance to the NetSec folder, with a couple of links but more will be added.
Miguel asked about the use of AI as a tool and not just the governance of AI, such as the ability to use it as a tool for the ecosystem like monitoring Bugzilla incidents for CAs and possible other use cases.
Tobias advised the requirement to monitor Bugzilla is not a CA Forum requirement and especially not part of the NetSec WG.
Clint suggested that one way AI falls squarely in scope of the CA Forum would be something like using AI to monitor ballots and the status of ballots over time. (overlap with the Infrastructure Subcommittee)
David added that the topic of AI in a broader sense and how it can actually affect the charter of multiple working groups. AI can play a role in the certificate validation, in the logic and in the detecting risks. Which would then be more in the server certificate working group scope, but if that became part of a recognized validation method, e.g., then whatever runs and executes that, that component of the infrastructure would have to be run securely, which would then place that part into the charter of the NetSec working group. And another field of application could be the detection and response to threats and the detection of suspicious activity e.g. that would fall squarely within the charter.
Clint agrees in general and mentioned that tools like gen AI have shown to be useful with anomaly detection and areas where there is a vast amount of data that need to be processed.
Clint asked with NS008 if everything has been going well for CAs and if any CAs have encountered any challenges. (No response from CAs)
4. Meeting adjourned.
Dustin Hollenback
**Attendees:**
* Aaron Poulsen (Amazon Trust Services)
* Ben Wilson (Mozilla)
* Clint Wilson (Apple)
* Daryn Wright (Apple)
* David Kluge (Google Trust Services)
* Dustin Hollenback (Apple)
* Hans Metsoja (Opera)
* Matthew McPherrin (ISRG)
* Miguel Sanchez (Google Trust Services)
* Nate Smith (GoDaddy)
* Rebecca Kelley (SSL.com)
* Roman Fischer (SwissSign)
* Scott Rea (eMudhra)
* Tathan Thacker (IdenTrust)
* Tim Crawford (BDO)
* Wendy Brown (FPKIMA)
**Minutes:**
1. **Notewell read by Clint Wilson.**
2. **Administrative Items:**
* Clint Wilson asked for a volunteer to take minutes; Clint volunteered.
* The working group considered the application of D Trust GMBH to join the Network Security Working Group. There were no objections, and the application was approved.
* Rebecca Kelley noted that Lewis will send the minutes from the previous meeting later this week.
3. **Agenda Setting:**
* Clint Wilson opened the floor for agenda topics, noting the primary topic was a follow-up from the face-to-face meeting regarding a rewrite of the network security requirements. No other topics were proposed.
4. **Discussion: Rewriting the Network Security and Certificate System Requirements (NCSSRs)**
* **Proposal for an Off-Site Summit:** Miguel Sanchez introduced the idea of a dedicated 2-3 day off-site summit to perform a complete rewrite of the NCSSRs. He suggested that if the Summer 2026 CA/B Forum F2F meeting is canceled, the time slot could be repurposed for this "NetSec Summit," with Google potentially hosting.
* **Goals & Approach:** The primary goal is a full rewrite of the requirements, not just a restructuring. Miguel advocated for a more modern, risk-based, and less prescriptive approach, possibly using standards like NIST 800-53 as a baseline. The outcome would be a new set of requirements with a phased-in adoption period of one to two years to allow CAs time to adapt.
* **Scope:** Scott Rea asked if a security framework for cloud-based services would be in scope. Miguel suggested that while important, rewriting the NCSSRs is a major undertaking on its own, and cloud services should be treated as a separate exercise to keep the scope manageable.
* **Concerns & Mitigation:**
* Daryn Wright raised a concern about the difficulty of passing large, sweeping ballots, noting that community buy-in can be challenging for those not directly involved in the drafting process.
* Miguel acknowledged this is a valid concern and proposed mitigations, including a long, multi-year phased-in implementation and the creation of detailed implementation guidelines to assist CAs.
* Aaron Poulsen suggested that mapping the new controls to existing, common frameworks (like NIST, ISO, SOC2, etc.) would ease adoption. He reasoned that most CAs are already audited against these standards and would likely be compliant with many of the proposed controls.
* Wendy Brown added that the group should also review the Baseline Requirements (BRs) from other working groups to identify and consolidate any overlapping security requirements.
* David Kluge supported the direction but cautioned that browsers have not always been enthusiastic about similar proposals in the past. He stressed the importance of engaging browsers early in the process to secure their support and avoid having a final draft rejected.
* **Browser Feedback:** Ben Wilson (Mozilla) stated that it "sounds like a fine plan." He recommended, as a matter of process, creating a formal planning document, proposal, or project charter to outline the goals and circulate it with the root stores for feedback.
* **Auditor Feedback:** Tim Crawford asked for clarification on whether the group would adopt an external framework or create its own. Miguel and Aaron confirmed the plan is to create a unique NetSec document that the group owns and maintains, but which uses various external standards as a source for controls and guidance. This avoids binding the group to external documents that can change outside of their control.
5. **Action Items:**
* Miguel Sanchez took the action item to create an initial draft of a **project charter** to formally outline the plan for the NCSSR rewrite. This charter will be circulated for discussion on the mailing list and at the next meeting.
6. **Meeting Adjourned.**