Just wanted to let you know I will most likely not be able to attend tomorrow's call. The Zero Trust working group developing the business value document moved its biweekly call to the same hour. I am one of the primary authors of the document and need to attend. I have a couple of open actions for the Key Management Life Cycle Best Practices, which I should be able to get to next week. Sections 2.1 and 2.5 are in final draft. Cheers, alex.
------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------
Original Message:
Sent: May 11, 2023 01:04:35 PM
From: Marina Bregkou
Subject: Meeting Minutes May 3rd, 2023.
Dear members,
Below you can find the minutes from our working group call on the 3rd of May.
Previous action items:
- Partha and Alex to provide feedback to the presentation from the DLT/Blockchain WG leadership, on the Framework for Digital Certification Governance Security Recommendations. (Link to the recommendations document: https://docs.google.com/spreadsheets/d/1iJ9yvX7JMCunld10ct-ickhTfg4TDPFR/edit#gid=632422826. - PENDING
- Partha to review the sections that are populated (respectively: section 2 with 2.2, 2.3, 2.4, 2.5, 2.6, and 3.2.1) - PENDING
- Thanos to please review section 2.2 and 2.4 and 2.5 - Partially PENDING
- Vrettos to please review section 2.5 - DONE
- Sam will write section 3.2.7-Key Auditing. - PENDING
- Alex will include Crypto Agility in 2.1-KMS Overview - PENDING
- Sam to develop section 1 (1.2 and 1.3 and 1.4) in paragraph form. - DONE
- Alex to author section 8: Key Mgmt Considerations? - PENDING
- Author needed for section 10: Vendor Selection Best Practices. - PENDING
Discussion:
During the discussion on the Key Mgmt Lifecycle document, Iain Beveridge proposed to consider including considerations about cloud deployment versus on-prem and nuances to be considered between on prem and cloud instantiations. Partha will create some content on this with Sunil and Santosh and we are having a placeholder for this as section 7 at the end of the document until we decide where it could be placed better.
New action items to be implemented by our next call on the 17th of May:
- Document 1: Key Mgmt Lifecycle Best Practices
- Working group to discuss Thanos' comment on including the key phases as are defined in the NIST 800-57pt1 rev.5 document as discussed initially.
- All authors to please address and resolve comments made to their particular sections. Either incorporate or justify why the comment is not being addressed.
- Marina to put out a call for additional authors to contribute to 3.2.2, 4.2, 4.3, 4.4 and 4.5, 5.2, 5.3. Perhaps practitioners that already works on these topics.
- Partha to add the overview content of the section 3. Dive deep into each item in the life cycle.
- Iain ( @Iain Beveridge) to please update the diagram with the Key Mgmt lifecycle according to the terminology and the phases we are using in this paper. (Under section 3.1, page 22)
- Michael Roza ( @Michael Roza) to write the 3.2.5 Key Revocation section.
- Sam ( @Sam Pfanstiel) to write section 3.2.7. Key Auditing.
- Marina ( @Marina Bregkou) to write section 3.2.8 Key Destruction.
- Vani ( @Vani Murthy) to write section 4.1 Compliance and Regulatory Requirements.
- Partha, Sunil and Santosh will include some content for a new section called 'On-prem Considerations' which is to cover the cloud and on-prem instantiations. It has a placeholder as section 7 for now at the end of the document.
- Document 2: HSM-as-a-Service:
- Thanos ( @Thanos Vrachnos) and Santosh ( @Santosh Bompally) to review section 1 written by Sam.
- Sam ( @Sam Pfanstiel) to provide feedback to Thanos questionnaire on identifying additional drivers for HSM-as-a-Service.
- Thanos ( @Thanos Vrachnos) to include a new question as the first one of the survey asking the respondent: 'Are you familiar with the 'HSM-as-a-Service' term?' After that the rest of the survey, with its term and purpose description can follow.
- Thanos ( @Thanos Vrachnos) include a short term (HSM-as-a-Service) and purpose description on the top of his survey on HSM drivers.
- Marina to check the previous Cloud Key Mgmt papers in order to recognize any references to HSM from the CSP/on-prem perspective and perhaps include the non-CSP perspective (on-prem) in this paper. (Check footnotes for Utimaco, Entryst mentions, etc.)
Next working group call:
Date: Wednesday, 17th May 2023.
Time: 08:00 a.m. PST / 11:00 a.m. EST / 16:00 GMT / 17:00 CET / 18:00 EET
URL: https://zoom.us/j/93617880747 (Meeting ID: 936 1788 0747)
Kind regards,
Marina
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------