<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:170998468;
mso-list-template-ids:1910121814;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:439692203;
mso-list-type:hybrid;
mso-list-template-ids:-702914714 777541346 2100229430 -900048728 -1207785036 -90525924 1749319032 -434978050 1175226794 -705013238;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:520317237;
mso-list-type:hybrid;
mso-list-template-ids:-1010119964 99630300 824476942 41433158 1312063436 739775750 -971196186 -96942918 -1737457380 -1258653934;}
@list l2:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3
{mso-list-id:670645589;
mso-list-type:hybrid;
mso-list-template-ids:-396430842 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4
{mso-list-id:905646910;
mso-list-type:hybrid;
mso-list-template-ids:-209026166 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:38.65pt;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:74.65pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:110.65pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:146.65pt;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:182.65pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:218.65pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:254.65pt;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:290.65pt;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:326.65pt;
text-indent:-.25in;
font-family:Wingdings;}
@list l5
{mso-list-id:1386758469;
mso-list-template-ids:1401480716;}
@list l5:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6
{mso-list-id:1573810827;
mso-list-template-ids:1080870202;}
@list l6:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7
{mso-list-id:1581062039;
mso-list-template-ids:1211686360;}
@list l7:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8
{mso-list-id:1794708401;
mso-list-type:hybrid;
mso-list-template-ids:571101796 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l8:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l8:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l8:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l8:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l8:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l8:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l8:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l8:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l8:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l9
{mso-list-id:1835952158;
mso-list-template-ids:952289274;}
@list l9:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level1 lfo4
{mso-level-start-at:3;}
@list l7:level1 lfo5
{mso-level-start-at:5;}
@list l7:level2 lfo7
{mso-level-number-format:bullet;
mso-level-numbering:continue;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level2 lfo8
{mso-level-start-at:2;}
@list l9:level1 lfo10
{mso-level-start-at:6;}
@list l9:level2 lfo12
{mso-level-number-format:bullet;
mso-level-numbering:continue;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l9:level2 lfo13
{mso-level-start-at:2;}
@list l5:level1 lfo15
{mso-level-start-at:7;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Below are the minutes from the Network Security Working Group meeting of 29 June 2017<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="mso-list:l0 level1 lfo1">Call to order – Kirk Hall, WG Chair pro tem<o:p></o:p></li></ol>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l8 level1 lfo2"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Attendees were: Ben Wilson (DigiCert), Bruce Morton (Entrust), Dimitris Zacharopoulos (HARICA), Jeff Stapleton (Wells Fargo), Jos Purvis (Cisco), Kirk Hall (Entrust), Peter Bowen (Amazon), Tim Hollebeek (Trustwave), Jonathan Sun
(CFCA), Phillip Hallam-Baker (Comodo), Tia Pope (Cisco), Tom Ritter (Mozilla), Tony Rutkowoski, Xiu Lei (GDCA), Alexsei Ivanov (Leader Telecom), Chris Salter (CIS)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="2" type="1">
<li class="MsoNormal" style="mso-list:l0 level1 lfo1">Call for nominees, election of Chair/Co-Chair – Kirk Hall, Chair pro tem<o:p></o:p></li></ol>
<p class="MsoListParagraph" style="margin-left:38.65pt;text-indent:-.25in;mso-list:l4 level1 lfo3">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Bruce Morton volunteered to be chair<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<ol style="margin-top:0in" start="3" type="1">
<li class="MsoNormal" style="mso-list:l6 level1 lfo4">Approval of Agenda<o:p></o:p></li></ol>
<p class="MsoListParagraph" style="margin-left:38.65pt;text-indent:-.25in;mso-list:l4 level1 lfo3">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Agenda was approved<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="4" type="1">
<li class="MsoNormal" style="mso-list:l6 level1 lfo4">Review of Network Security Working Group charter (see Ballot 203 below)<o:p></o:p></li></ol>
<p class="MsoListParagraph" style="margin-left:38.65pt;text-indent:-.25in;mso-list:l4 level1 lfo3">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Charter was reviewed. It was discussed that the CAs are having challenges with implementing the Network Security requirements. However it was also stated that the CAs have already implemented the Network Security document, so
replacing could be a concern. There are better ways and requirements which should be reviewed.<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:38.65pt;text-indent:-.25in;mso-list:l4 level1 lfo3">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Is the Forum the right place to maintain the document? Should we use another forum?<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:38.65pt;text-indent:-.25in;mso-list:l4 level1 lfo3">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>The original NetSec document started with meeting at Trustwave after the DigiNotar incident. The NetSec document was based on a Symantec document and paired it down. The NetSec document also mapped in items from WebTrust and ETSI
so as to not re-create the wheel.<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:38.65pt;text-indent:-.25in;mso-list:l4 level1 lfo3">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Other documents show overlay or normative methods. Some documents defer and say authentication shall meet some other reference.<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:38.65pt;text-indent:-.25in;mso-list:l4 level1 lfo3">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>We do not want to abdicate the standards which are over the CA's.<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:38.65pt;text-indent:-.25in;mso-list:l4 level1 lfo3">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Need to consider auditability issues, so we might not want to reference.<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:38.65pt;text-indent:-.25in;mso-list:l4 level1 lfo3">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Do not want to conflict with WebTrust or ETSI, but point to other criteria that we already have to meet.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="5" type="1">
<li class="MsoNormal" style="mso-list:l7 level1 lfo5">Discussion of possible approaches, including but not limited to:<o:p></o:p></li></ol>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l7 level2 lfo6">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Eliminate NetSec Requirements entirely<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l7 level2 lfo7">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Repeal and don't replace was not supported. It was stated that we need some minimum standard.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l7 level2 lfo7">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>There was some opposition to scrapping the NetSec document.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l7 level2 lfo7">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Need to review PCI type requirements for vulnerability scans and pen testing.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l7 level2 lfo8">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Short-term “Patch” of existing NetSec Requirements while considering long-term solution<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>It was agreed to patch the NetSec document in the short-term. This will support CAs with current implementations and upcoming audits.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Some items are implemented when they don't make sense, but are dome just to clear an audit.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Dimitris supports patch and would like to remove unnecessary pain.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>There was concern about a short-term taking too long.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Ben has a spreadsheet of items which is included with the agenda email.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Ben and Dimitris to triage the list to determine patch items.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Need to address off-line roots, but might create an issue.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Bruce to review to see if the roots could be addressed with a definition change.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l7 level2 lfo8">
<![if !supportLists]><span style="mso-list:Ignore">c.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Long-term rewrite of existing NetSec Requirements<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Some items will take a long-term to correct. These would not be included in the short-term fixes and may be delayed to a re-formatting of the NetSec document<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l7 level2 lfo8">
<![if !supportLists]><span style="mso-list:Ignore">d.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Long-term rewrite of requirements using alternative model(s) as a starting point<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Not discussed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l7 level2 lfo8">
<![if !supportLists]><span style="mso-list:Ignore">e.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Preferred style of new NetSec Requirements – detailed and prescriptive, or goal based but with CA discretion?<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l2 level2 lfo9">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Not discussed.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<ol style="margin-top:0in" start="6" type="1">
<li class="MsoNormal" style="mso-list:l9 level1 lfo10">Possible alternative models:<o:p></o:p></li></ol>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l9 level2 lfo11">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>CIS Critical Security Controls <a href="https://www.cisecurity.org/controls/">
https://www.cisecurity.org/controls/</a> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l9 level2 lfo12">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Criteria would be acceptable, but controls would be hard to meet. Could review controls. There is a NIST document which maps to the CSC document.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l9 level2 lfo13">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Other existing models<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l1 level2 lfo14">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>ISO 21188 which is being updated<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l1 level2 lfo14">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>NIST SP 800-53<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l1 level2 lfo14">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Some documents describe illustrative controls<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.75in;text-indent:-.25in;mso-list:l1 level2 lfo14">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>CA protection profile, Ben to forward<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<ol style="margin-top:0in" start="7" type="1">
<li class="MsoNormal" style="mso-list:l5 level1 lfo15">Auditability considerations<o:p></o:p></li></ol>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l3 level1 lfo16"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Not thoroughly discussed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="8" type="1">
<li class="MsoNormal" style="mso-list:l5 level1 lfo15">Timelines – milestones, goals for completion<o:p></o:p></li></ol>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l3 level1 lfo16"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Not discussed<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="9" type="1">
<li class="MsoNormal" style="mso-list:l5 level1 lfo15">Next steps<o:p></o:p></li></ol>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l3 level1 lfo16"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Ben and Dimitris to provide suggestions for short-term fixes.<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l3 level1 lfo16"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Bruce to review offline root issue<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l3 level1 lfo16"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Ben to provide CA protection profile<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Bruce Morton<o:p></o:p></p>
<p class="MsoNormal">Entrust Datacard<o:p></o:p></p>
<p class="MsoNormal">+1.613.270.3743<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>