<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 8/9/2021 11:01 μ.μ., Ian McMillan
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BY5PR00MB0692BF81E7AABC9B5DEFB845C4D49@BY5PR00MB0692.namprd00.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:SimSun;
mso-fareast-language:ZH-CN;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:SimSun;
mso-fareast-language:ZH-CN;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:ZH-CN;}p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:ZH-CN;}p.xmsolistparagraph, li.xmsolistparagraph, div.xmsolistparagraph
{mso-style-name:x_msolistparagraph;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:ZH-CN;}span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Thanks
Seb and Dimitris!<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">I
am totally with Dimitris on this topic and I like the
addition “note” Dimitris and Clint are putting into the BRs
(so much so I am incorporating it). Please see that attached
revise of the redline doc. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
Hi Ian,<br>
<br>
Procedure-wise, the red-line and the "Draft Guideline" that is put
for a ballot, must be based on the at-the-time effective Final
Guideline, which is currently 2.3. The Revisions table should also
not be part of the ballot because we are running ballots in parallel
and might stumble on minor deviations with effective dates, unless
we have reasons to update tables with version numbers. This is
explicitly called out in the <a moz-do-not-send="true"
href="https://github.com/cabforum/forum/blob/main/Bylaws.md">Bylaws
</a>section 2.4 (8). <br>
<br>
For example, CSC-9 has ended the IPR review period but the
Chair/Vice-Chair must announce the end of the IPR Review Period,
making sure that no Exclusion Notices have been filed, and publish
the final guideline based on that ballot. The effective date would
be the day the final guideline is published (not 2021-09-08). The
same applies to CSC-10. For those reasons, and considering the fact
that the IPR Review for CSC-10 ends very soon (2021-09-12), I would
suggest that you wait a couple of days and base your redline on the
Final Guideline that will be published by Bruce based on CSC-10 to
start the discussion period.<br>
<br>
Regarding your comment on 15.1 about Signing Services, I agree that
it seems out of place and would propose to remote it so that the
text reads "CAs and each Delegated Third Party SHALL..."<br>
<br>
Similarly for the "Note" in section 15.3, I suggest replacing
"Signing Service" with "Delegated Third Parties".<br>
<br>
Happy to endorse with the changes above, if there are no objections
by other Members. <br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:BY5PR00MB0692BF81E7AABC9B5DEFB845C4D49@BY5PR00MB0692.namprd00.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Ian
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">
Cscwg-public <a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via
Cscwg-public<br>
<b>Sent:</b> Thursday, September 2, 2021 6:52 AM<br>
<b>To:</b> Sebastian Schulz
<a class="moz-txt-link-rfc2396E" href="mailto:sebastian.schulz@globalsign.com"><sebastian.schulz@globalsign.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re:
DISCUSS/ENDORSE: Ballot CSC-11: Update to log data
retention requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Sebastian,<br>
<br>
I'd like to share with the CSCWG a proposal I wrote after some
collaboration with Clint Wilson from Apple. You may find the
proposed changes to the BRs in
<a
href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdzacharo%2Fservercert%2Fpull%2F2%2Ffiles&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767719961422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=RNOddurbyIhItjFVDityJT%2FyjHhK%2F%2F%2BI5YSApXI5oHA%3D&reserved=0"
moz-do-not-send="true">
https://github.com/dzacharo/servercert/pull/2/files</a>.<br>
<br>
The fact that the retention period has a lower limit, nothing
prevents a CA from keeping logs/archives for longer periods in
order to investigate past security incidents. This is
highlighted in a NOTE in the proposal above. Similarly the
NetSec SCWG subcommittee is working on a draft in <a
href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1SCyrt8la1slPJhvnWUW6ROlqIV3yaDwb3LKZ5qjdiH4&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767719971379%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Kfa9Oix82YtnVRSO8P75LlrEGScTedAzC%2FJvai3PMzg%3D&reserved=0"
moz-do-not-send="true">
https://docs.google.com/document/d/1SCyrt8la1slPJhvnWUW6ROlqIV3yaDwb3LKZ5qjdiH4</a>.<br>
<br>
For the CA Certificates' retention period, which is proposed
to be 2 years after the expiration/revocation/key deletion of
the CA, IMHO the same principle applies. The CA must determine
if it needs to keep logs for more time in order to perform
proper retrospection related to a security incident AFTER a CA
has been decommissioned.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<span style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">On 2/9/2021 1:35 μ.μ., Sebastian Schulz
via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Hey
All, Hey Ian</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">What
seems a little odd to me is that the requirements for the
duration of log retention are the same for CA certificates
as for subscriber certificates, given their wildly
different original validity periods. I know the TLS BR
handle it like that as well but come to think of it….isn’t
the purpose of log retention to be able to identify
possible errors in operation of a CA from the aftermath?
Since CA certificate lifecycle operations are carried out
at much lower frequency than those for subscriber
certificates, I would have assumed that more logged time
is needed to identify possible systemic errors (in
contrast, 2 years retention for subscriber certificates
with max 3 year validity almost seems long)</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Just
a thought that came to mind, maybe I just missed
discussion around it. Or another discussion needs to be
had, but not for this ballot then. When it comes to adding
TS requirements and detaching it from TLS BR - looks good
to me
</span><span style="font-size:11.0pt;font-family:"Segoe
UI Emoji",sans-serif">😊</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Best,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Seb</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-US">Sebastian
Schulz</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><br>
</span><i><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-GB">Product
Manager Client Certificates</span></i><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Cscwg-public
<a href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Ian McMillan via Cscwg-public<br>
<b>Sent:</b> 01 September 2021 17:00<br>
<b>To:</b> Ian McMillan <a
href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true"><ianmcm@microsoft.com></a>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a>;
<a href="mailto:dzacharo@harica.gr"
moz-do-not-send="true">
dzacharo@harica.gr</a>; <a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true">Bruce.Morton@entrust.com</a><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re:
DISCUSS/ENDORSE: Ballot CSC-11: Update to log data
retention requirements</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Hi
All,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Please
review the attached updated redline with the removal of
all references to the SSL/TLS BRs for section 15 on data
records.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">I’d
like to note that Signing Services are included in the
data records requirements but seem really out of place as
they are responsible for subscriber key generation and
protection as it is described in section 16.2, and not the
management or creation of CA certificates. I could easily
see us removing Sign Services from this section or
authoring a new set of requirements for signing services
as part of the refinement of the CSBRs for signing
services. </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Ian
</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Cscwg-public
<a href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Ian McMillan via Cscwg-public<br>
<b>Sent:</b> Wednesday, September 1, 2021 8:27 AM<br>
<b>To:</b> <a href="mailto:dzacharo@harica.gr"
moz-do-not-send="true">dzacharo@harica.gr</a>; <a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true">
Bruce.Morton@entrust.com</a>; <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re:
DISCUSS/ENDORSE: Ballot CSC-11: Update to log data
retention requirements</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span
style="color:black">Hi Bruce and Dimitris,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="color:black">I like this idea and I<span
lang="ZH-CN">’</span>ll work on this update to
share with the group before next week<span
lang="ZH-CN">’</span>s meeting.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="color:black">Thanks,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="color:black">Ian</span><o:p></o:p></p>
</div>
</div>
<div id="ms-outlook-mobile-signature">
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal">Get <a
href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767719981339%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=sdIfRYm9riGo3EinAEjzs2YCkhZsbjcI%2FErkRxgRFv4%3D&reserved=0"
moz-do-not-send="true">
Outlook for iOS</a><o:p></o:p></p>
</div>
</div>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr width="98%" size="1" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">
Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true">dzacharo@harica.gr</a>><br>
<b>Sent:</b> Wednesday, September 1, 2021 8:16:03 AM<br>
<b>To:</b> Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true">Bruce.Morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a>
<<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a>>;
Ian McMillan <<a href="mailto:ianmcm@microsoft.com"
moz-do-not-send="true">ianmcm@microsoft.com</a>><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public]
DISCUSS/ENDORSE: Ballot CSC-11: Update to log data
retention requirements</span>
<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 26/8/2021 9:00 <span lang="ZH-CN">μ</span>.<span
lang="ZH-CN">μ</span>., Bruce Morton via Cscwg-public
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="xmsonormal">Hi Ian,<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">I am wondering if we could change
the text, so we do not reference the SSL BRs. I’m
saying this because:<o:p></o:p></p>
<ol style="margin-top:0in" type="1" start="1">
<li class="xmsolistparagraph"
style="margin-left:0in;mso-list:l0 level1 lfo3">CSBRs
refer to SSL BR version 1.6.9, which was updated per
SC27<o:p></o:p></li>
<li class="xmsolistparagraph"
style="margin-left:0in;mso-list:l0 level1 lfo3">CSBR
section 15.2 would be easier to read<o:p></o:p></li>
<li class="xmsolistparagraph"
style="margin-left:0in;mso-list:l0 level1 lfo3">CSBR
section 15.2 would be independent of the SSL BRs,
which goes in the direction of our goal<o:p></o:p></li>
</ol>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">Thanks, Bruce.<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
I agree with Bruce. We should try to incorporate text from
the TLS BRs that makes sense for the CS BRs as much as we
can and avoid references that have the risk of becoming
broken or amended by the SCWG.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="xmsonormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="xmsonormal"><b>From:</b> Cscwg-public <a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true">
<cscwg-public-bounces@cabforum.org></a> <b>On
Behalf Of </b>Ian McMillan via Cscwg-public<br>
<b>Sent:</b> Thursday, August 26, 2021 12:29 PM<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public]
DISCUSS/ENDORSE: Ballot CSC-11: Update to log data
retention requirements<o:p></o:p></p>
</div>
</div>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"><span
style="font-size:12.0pt;font-family:SimSun">WARNING:
This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust
the sender and know the content is safe.</span><o:p></o:p></p>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr width="100%" size="1" align="center">
</div>
<p class="xmsonormal">Hi Folks, <br>
<br>
I am looking for feedback and at least two
endorsements on this new ballot I am proposing. Please
share your feedback and if you are willing to endorse
this ballot.<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in"><a
href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_11_-_update_to_log_data_retention_requirements__%3B!!FJ-Y8qCqXTj2!OxtP9iVwcvkR2NB3D6_-cStNUlZ0jiRsvQI7kzZGF3vX8NFDtimB6Te0-iBFuXDSLg0%24&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767719991296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=2apKicY6AAJrNRYAmvy3ZpdreDDdft%2F77FnTR5YyQf4%3D&reserved=0"
moz-do-not-send="true">Ballot CSC-11: Update to log
data retention requirements</a><o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">Purpose
of this ballot:<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">Update
the log data and retention of log data requirements in
the Baseline Requirement for the Issuance and
Management of Publicly-Trusted Code Signing
Certificates v2.5.<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">The
following motion has been proposed by Ian McMillan of
Microsoft, and I am looking for endorsements from two
other members of the CSCWG.
<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">— MOTION
BEGINS —<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">This
ballot updates the “Baseline Requirements for the
Issuance and Management of Publicly‐Trusted Code
Signing Certificates“ version 2.5 according to the
attached redline which including<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="xmsolistparagraph"
style="margin-left:1.0in;text-indent:-.25in">Update
section 15 “Data Records” to include sub-section 15.1
“Timestamp Authority Data Records”<o:p></o:p></p>
<p class="xmsolistparagraph"
style="margin-left:1.0in;text-indent:-.25in">Update
section 15.1 to clarify 4(f) for security event
logging on Timestamp Authority servers<o:p></o:p></p>
<p class="xmsolistparagraph"
style="margin-left:1.0in;text-indent:-.25in">Update
section 15.1 on 4(d) for security event logging to no
longer include “hardware failures”<o:p></o:p></p>
<p class="xmsolistparagraph"
style="margin-left:1.0in;text-indent:-.25in">Update
section 15 “Data Records” to include sub-section 15.2
“Data Retention Period for Audit Logs”<o:p></o:p></p>
<p class="xmsolistparagraph"
style="margin-left:1.0in;text-indent:-.25in">Update
section 15.2 to no longer reference Baseline
Requirements section 5.4.3 and defined a specific
retention period for CA, subscriber certificate,
Timestamp Authority, and security event data records
for at least 2 years<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">— MOTION
ENDS —<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">Thanks,<o:p></o:p></p>
<p class="xmsonormal">Ian<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><i>Any
email and files/attachments transmitted with it are
confidential and are intended solely for the use of
the individual or entity to whom they are addressed.
If this message has been sent to you in error, you
must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust
immediately</u> and delete the message from your
system.</i>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767720001248%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Kt%2BHiMNa%2F4GIsPfUfPDnqwGMNRVhr%2BAen4Wh%2FYPyKoI%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767720011203%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=0q59np1F%2BztHzC37FNqrfbYCg4rRSyH2RX7aQL8QSFM%3D&reserved=0" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>