Security Working Group Minutes

voltone · July 25, 2024, 10:05am

July 24, 2024

Participants: @peerst, @maennchen, @varnerac, Alistair Woordman, @voltone

EU:
- Cyber Resilience Act, in particular FOSS classified as “Critical Infrastructure Software”
- Primary angle: consumer protection
- Tool: market regulation
US:
- Executive Order 14028, NIST Secure Software Development Framework (SSDF)
- Primary angle: protect national security
- Tool: force industry buy-in through government procurement requirements
EEF strategy:
- Ensure BEAM platform remains viable choice for open source and commercial projects
- Leverage pressure on (currently passive) commercial users to drive participation in EEF (cf. FreeBDS Foundation approach)
- Join Linux Foundation (OpenSSF), other industry initiatives
- Obtain grants to help move ecosystem forward
Broader topics (e.g. work being done in @peerst’s EU RESCALE projects):
- Static analysis
- SBoM, TBoM
Next steps:
- Ericsson looking at SSDF self attestation for OTP
- @varnerac self-attestation for ongoing US government projects
- Alistair continues to discuss with board and other groups inside and outside EEF
- More updates next month

Let’s Encrypt wants to move away from OCSP:
- Due to privacy, latency and reliability concerns
- Seems they do not consider OCSP Stapling a viable solution
- CRLite to deal with big CRLs and avoid latency penalty of just-in-time CRL fetching
Erlang/OTP’s :ssl has known issues with large CRLs:
- Post mentions Amazon CRLs of 4MB
More example sizes:
- Let’s Encrypt mention their full CRL would be around 8GB (2022)
- Using “sharding” they reduced individual CRLs to 70MB
- CRLite paper mentions an Apple CRL of 76MB
CRLite intended for browsers on public internet:
- Not practical for machine-to-machine use-cases, embedded systems, private CAs
Discussion cut short due to time constraints; continue in Slack or next month

Wed 21 August 2024 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST