Notes from 2025-01-28 Meeting

71 views
Skip to first unread message

Miguel Sanchez

unread,
Jan 28, 2025, 12:01:13 PMJan 28
to CA/B NetSec WG (CA/B Forum), Clint Wilson

Notes

  • Ballot NS-007 is in voting period

    • Extends NSR v2 deadline to September 2025

    • Ends on the 30th of this month 

  • Discussion Topics

    • Review uses of CA Infrastructure

    • Discuss other issues to address in upcoming ballot

  • Discussing the CA Infrastructure ballot PR 

    • Cade Cairns: working on a sheet to tease out the differences in scope between NSR v1.7 and NSR 2.0 

    • Clint W: What are an example the differences?

      • Cade: Network Segmentation in v1.7 only applies to Certiifcate Systems (req 1a) whereas in v2.0 it applies to CA Infrastructure. This increases the scope substantially 

      • Clint: Part of the purposes of the changes is to clarify requirements and its scope

        • Certificate System (CS) vs. Certificate Management System (CMS) = some of the definitions should be subsumed by the new language of NSR v2.0 

    • Trevoli Ponds-White: if you read the definitions, why do we have terms that are used in multiple different places?

      • There are different sets of requirements for each of the different places 

      • Which one is a subset of the other?

        • Clint W: CS is a broader set of systems and CMS is a subset of CS 

    • Tobi: this was clearer before a recent ballot 

    • Trev: CMS is mentioned in more places than CS 

    • Clint: the intent of 2.0 was that the separation for CMS and CS was valuable, intended, or clear, and therefore it was meant to collapse for all the systems in CS

      • We want to understand the separation between CMS and CS and where it is impactful

        • If there is no need to have separate requirements for CS and CMS then we shouldn’t have separate requirements.

          • If there is a need then we can maintain the separation

    • Dan Jeffery: Let’s fall forward and make improvements to the changes and not fall back on the previous version 

      • Let’s make 2.0 clear as to what the changes are intended to be

    • Trev: At the time of the changes: the intent was that if people are doing continuous monitoring we should increase the scope of monitoring  

    • Clint: how would folks like to go through this review? Does it make sense to go through 1.7 and see how the defined system terms are used and consider if that usage could encompass the rest of the systems? 

    • Cade: sharing the sheet that was being worked on as part of the Cloud Services subgroup meeting

    • Clint: NCSSR Changes in Detail

    • Trev: We should be using functions instead of list of definitions 

    • Wendy: different PKIs would have dffferent systems based on functions 

      • They can be audited against functions 

    • Clint: we have a list of functions as part of the Certiifcate Systems definition 

      • Trev: it’s a bad list of functions, some of which are not functions

    • Trev: would like to define the functions better in the CS definition 

      • Clint: agreed and would like to understand where the group was going

    • Cade: seems like we should be using CA Infrastructure for the inventory of systems 

      • Trev: we can make that change but perhaps it doesn’t make any substantial improvements

    • Trev: no controversy on 1.1 

      • Flip 1.1.1.1 and 1.1.1.2 in order to make it clearer 

      • What do ppl think about adding in more granular level of detail for 1.1.1.x?

        • Dan Jeffery: Would like it to be transferable 

    • Trev: Move some more parts of Section 4 to the top that would inform the rest of the document (e.g. risk assessment) 

      • Clint: agree that we can change the structure and flow of the doc 

    • Tim: from an audit perspective, auditors look at the functions and then define systems from that 

    • Meeting adjourned 

Reply all
Reply to author
Forward
0 new messages