<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:SimSun;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:SimSun;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:ZH-CN;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xmsolistparagraph, li.xmsolistparagraph, div.xmsolistparagraph
{mso-style-name:x_msolistparagraph;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:550850984;
mso-list-template-ids:-503812604;}
@list l1
{mso-list-id:2051343818;
mso-list-template-ids:-1422232672;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hi Ian,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Under 15.1 item 1, why do we only have 2 requirements but the SSL BRs have 6 requirements? Did we have a reason for reducing the list?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I have attached a markup where I have made some edits to some section numbers and a few other minor changes.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I will endorse the ballot.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Cscwg-public <csc<a href="mailto:wg-public-bounces@cabforum.org">wg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Ian McMillan via Cscwg-public<br>
<b>Sent:</b> Tuesday, September 14, 2021 9:51 AM<br>
<b>To:</b> Dimitris Zacharopoulos (HARICA) <dzacharo@harica.gr>; cscwg-public@cabforum.org; Sebastian Schulz <sebastian.schulz@globalsign.com><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">I’ve incorporated all the feedback and based the attached redline off the most recently published version of the CSBRs v2.5.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">If Dimitris is still willing to endorse this ballot, I only need one more endorser. Can I please get another endorser for this ballot?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Thanks,<br>
Ian<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>>
<br>
<b>Sent:</b> Thursday, September 9, 2021 6:16 AM<br>
<b>To:</b> Ian McMillan <<a href="mailto:ianmcm@microsoft.com">ianmcm@microsoft.com</a>>;
<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Sebastian Schulz <<a href="mailto:sebastian.schulz@globalsign.com">sebastian.schulz@globalsign.com</a>><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal">On 8/9/2021 11:01 <span lang="ZH-CN">μ</span>.<span lang="ZH-CN">μ</span>., Ian McMillan wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Thanks Seb and Dimitris!</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">I am totally with Dimitris on this topic and I like the addition “note” Dimitris and Clint are putting into the BRs (so much so I am incorporating
it). Please see that attached revise of the redline doc. </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><br>
Hi Ian,<br>
<br>
Procedure-wise, the red-line and the "Draft Guideline" that is put for a ballot, must be based on the at-the-time effective Final Guideline, which is currently 2.3. The Revisions table should also not be part of the ballot because we are running ballots in
parallel and might stumble on minor deviations with effective dates, unless we have reasons to update tables with version numbers. This is explicitly called out in the
<a href="https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fgithub.com*2Fcabforum*2Fforum*2Fblob*2Fmain*2FBylaws.md&data=04*7C01*7Cianmcm*40microsoft.com*7Ce3bd2ae0dce4468183c108d9737ae5b0*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637667794999562221*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=b5Zk68ET4XdhoEwKZY3OX17Wtec*2FxVMp193AHjpMO4E*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!FJ-Y8qCqXTj2!NWv1K7HGvAxUABiMxdfaCMe3GpkaaPtdGr0fmyfxRX1KGs0uZ0T8Jv4ZKzUo891wN5k$">
Bylaws </a>section 2.4 (8). <br>
<br>
For example, CSC-9 has ended the IPR review period but the Chair/Vice-Chair must announce the end of the IPR Review Period, making sure that no Exclusion Notices have been filed, and publish the final guideline based on that ballot. The effective date would
be the day the final guideline is published (not 2021-09-08). The same applies to CSC-10. For those reasons, and considering the fact that the IPR Review for CSC-10 ends very soon (2021-09-12), I would suggest that you wait a couple of days and base your redline
on the Final Guideline that will be published by Bruce based on CSC-10 to start the discussion period.<br>
<br>
Regarding your comment on 15.1 about Signing Services, I agree that it seems out of place and would propose to remote it so that the text reads "CAs and each Delegated Third Party SHALL..."<br>
<br>
Similarly for the "Note" in section 15.3, I suggest replacing "Signing Service" with "Delegated Third Parties".<br>
<br>
Happy to endorse with the changes above, if there are no objections by other Members.
<br>
<br>
<br>
Best regards,<br>
Dimitris.<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Ian
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> Cscwg-public
<a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Dimitris Zacharopoulos (HARICA) via Cscwg-public<br>
<b>Sent:</b> Thursday, September 2, 2021 6:52 AM<br>
<b>To:</b> Sebastian Schulz <a href="mailto:sebastian.schulz@globalsign.com"><sebastian.schulz@globalsign.com></a>;
<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Sebastian,<br>
<br>
I'd like to share with the CSCWG a proposal I wrote after some collaboration with Clint Wilson from Apple. You may find the proposed changes to the BRs in
<a href="https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fgithub.com*2Fdzacharo*2Fservercert*2Fpull*2F2*2Ffiles&data=04*7C01*7Cianmcm*40microsoft.com*7Ce3bd2ae0dce4468183c108d9737ae5b0*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637667794999572177*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=noVaBPqqk8vMOAvxeIVFOpeWyYmsqDAu1q2zhgMigss*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUl!!FJ-Y8qCqXTj2!NWv1K7HGvAxUABiMxdfaCMe3GpkaaPtdGr0fmyfxRX1KGs0uZ0T8Jv4ZKzUoxn44LQk$">
https://github.com/dzacharo/servercert/pull/2/files</a>.<br>
<br>
The fact that the retention period has a lower limit, nothing prevents a CA from keeping logs/archives for longer periods in order to investigate past security incidents. This is highlighted in a NOTE in the proposal above. Similarly the NetSec SCWG subcommittee
is working on a draft in <a href="https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fdocs.google.com*2Fdocument*2Fd*2F1SCyrt8la1slPJhvnWUW6ROlqIV3yaDwb3LKZ5qjdiH4&data=04*7C01*7Cianmcm*40microsoft.com*7Ce3bd2ae0dce4468183c108d9737ae5b0*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637667794999572177*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=HyN*2BOns4iQ8tG1eq5thB9njrTonCw0hfMrTVKG5tl08*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSU!!FJ-Y8qCqXTj2!NWv1K7HGvAxUABiMxdfaCMe3GpkaaPtdGr0fmyfxRX1KGs0uZ0T8Jv4ZKzUoKcVtQGU$">
https://docs.google.com/document/d/1SCyrt8la1slPJhvnWUW6ROlqIV3yaDwb3LKZ5qjdiH4</a>.<br>
<br>
For the CA Certificates' retention period, which is proposed to be 2 years after the expiration/revocation/key deletion of the CA, IMHO the same principle applies. The CA must determine if it needs to keep logs for more time in order to perform proper retrospection
related to a security incident AFTER a CA has been decommissioned.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 2/9/2021 1:35 <span lang="ZH-CN">μ</span>.<span lang="ZH-CN">μ</span>., Sebastian Schulz via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Hey All, Hey Ian</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">What seems a little odd to me is that the requirements for the duration of log retention are the same for CA certificates as for subscriber certificates,
given their wildly different original validity periods. I know the TLS BR handle it like that as well but come to think of it….isn’t the purpose of log retention to be able to identify possible errors in operation of a CA from the aftermath? Since CA certificate
lifecycle operations are carried out at much lower frequency than those for subscriber certificates, I would have assumed that more logged time is needed to identify possible systemic errors (in contrast, 2 years retention for subscriber certificates with
max 3 year validity almost seems long)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Just a thought that came to mind, maybe I just missed discussion around it. Or another discussion needs to be had, but not for this ballot then.
When it comes to adding TS requirements and detaching it from TLS BR - looks good to me
</span><span style="font-size:11.0pt;font-family:"Segoe UI Emoji",sans-serif">😊</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Best,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Seb</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-US">Sebastian Schulz</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><br>
</span><i><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#666666;mso-fareast-language:EN-GB">Product Manager Client Certificates</span></i><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Cscwg-public
<a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Ian McMillan via Cscwg-public<br>
<b>Sent:</b> 01 September 2021 17:00<br>
<b>To:</b> Ian McMillan <a href="mailto:ianmcm@microsoft.com"><ianmcm@microsoft.com></a>;
<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; <a href="mailto:dzacharo@harica.gr">
dzacharo@harica.gr</a>; <a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Hi All,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Please review the attached updated redline with the removal of all references to the SSL/TLS BRs for section 15 on data records.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">I’d like to note that Signing Services are included in the data records requirements but seem really out of place as they are responsible for subscriber
key generation and protection as it is described in section 16.2, and not the management or creation of CA certificates. I could easily see us removing Sign Services from this section or authoring a new set of requirements for signing services as part of the
refinement of the CSBRs for signing services. </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Ian
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Cscwg-public
<a href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a>
<b>On Behalf Of </b>Ian McMillan via Cscwg-public<br>
<b>Sent:</b> Wednesday, September 1, 2021 8:27 AM<br>
<b>To:</b> <a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>; <a href="mailto:Bruce.Morton@entrust.com">
Bruce.Morton@entrust.com</a>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] [EXTERNAL] Re: DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="color:black">Hi Bruce and Dimitris,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="color:black">I like this idea and I<span lang="ZH-CN">’</span>ll work on this update to share with the group before next week<span lang="ZH-CN">’</span>s meeting.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="color:black">Thanks,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="color:black">Ian</span><o:p></o:p></p>
</div>
</div>
<div id="ms-outlook-mobile-signature">
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal">Get <a href="https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Faka.ms*2Fo0ukef&data=04*7C01*7Cianmcm*40microsoft.com*7Ce3bd2ae0dce4468183c108d9737ae5b0*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637667794999572177*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=8uyyUIB21wuS3I8t9jdKGkJqrunPVSZMyE7g*2FIEDBHM*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUl!!FJ-Y8qCqXTj2!NWv1K7HGvAxUABiMxdfaCMe3GpkaaPtdGr0fmyfxRX1KGs0uZ0T8Jv4ZKzUoIsKKC6w$">
Outlook for iOS</a><o:p></o:p></p>
</div>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="98%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>><br>
<b>Sent:</b> Wednesday, September 1, 2021 8:16:03 AM<br>
<b>To:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a> <<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>>; Ian McMillan <<a href="mailto:ianmcm@microsoft.com">ianmcm@microsoft.com</a>><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public] DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements</span>
<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 26/8/2021 9:00 <span lang="ZH-CN">μ</span>.<span lang="ZH-CN">μ</span>., Bruce Morton via Cscwg-public wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="xmsonormal">Hi Ian,<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">I am wondering if we could change the text, so we do not reference the SSL BRs. I’m saying this because:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="xmsolistparagraph" style="margin-left:0in;mso-list:l1 level1 lfo3">CSBRs refer to SSL BR version 1.6.9, which was updated per SC27<o:p></o:p></li><li class="xmsolistparagraph" style="margin-left:0in;mso-list:l1 level1 lfo3">CSBR section 15.2 would be easier to read<o:p></o:p></li><li class="xmsolistparagraph" style="margin-left:0in;mso-list:l1 level1 lfo3">CSBR section 15.2 would be independent of the SSL BRs, which goes in the direction of our goal<o:p></o:p></li></ol>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">Thanks, Bruce.<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
I agree with Bruce. We should try to incorporate text from the TLS BRs that makes sense for the CS BRs as much as we can and avoid references that have the risk of becoming broken or amended by the SCWG.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="xmsonormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="xmsonormal"><b>From:</b> Cscwg-public <a href="mailto:cscwg-public-bounces@cabforum.org">
<cscwg-public-bounces@cabforum.org></a> <b>On Behalf Of </b>Ian McMillan via Cscwg-public<br>
<b>Sent:</b> Thursday, August 26, 2021 12:29 PM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements<o:p></o:p></p>
</div>
</div>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"><span style="font-size:12.0pt;font-family:SimSun">WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.</span><o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" align="center">
</div>
<p class="xmsonormal">Hi Folks, <br>
<br>
I am looking for feedback and at least two endorsements on this new ballot I am proposing. Please share your feedback and if you are willing to endorse this ballot.<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in"><a href="https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fwiki.cabforum.org*2Fcscwg*2Fcsc_11_-_update_to_log_data_retention_requirements__*3B!!FJ-Y8qCqXTj2!OxtP9iVwcvkR2NB3D6_-cStNUlZ0jiRsvQI7kzZGF3vX8NFDtimB6Te0-iBFuXDSLg0*24&data=04*7C01*7Cianmcm*40microsoft.com*7Ce3bd2ae0dce4468183c108d9737ae5b0*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637667794999582131*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=BJidr4YnWniggGmazUxO4cTwAuX0iHteFREqsQRzkoE*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!FJ-Y8qCqXTj2!NWv1K7HGvAxUABiMxdfaCMe3GpkaaPtdGr0fmyfxRX1KGs0uZ0T8Jv4ZKzUoZrd49aU$">Ballot
CSC-11: Update to log data retention requirements</a><o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">Purpose of this ballot:<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">Update the log data and retention of log data requirements in the Baseline Requirement for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.5.<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">The following motion has been proposed by Ian McMillan of Microsoft, and I am looking for endorsements from two other members of the CSCWG.
<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">— MOTION BEGINS —<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 2.5 according to the attached redline which including<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="xmsolistparagraph" style="margin-left:1.0in;text-indent:-.25in">Update section 15 “Data Records” to include sub-section 15.1 “Timestamp Authority Data Records”<o:p></o:p></p>
<p class="xmsolistparagraph" style="margin-left:1.0in;text-indent:-.25in">Update section 15.1 to clarify 4(f) for security event logging on Timestamp Authority servers<o:p></o:p></p>
<p class="xmsolistparagraph" style="margin-left:1.0in;text-indent:-.25in">Update section 15.1 on 4(d) for security event logging to no longer include “hardware failures”<o:p></o:p></p>
<p class="xmsolistparagraph" style="margin-left:1.0in;text-indent:-.25in">Update section 15 “Data Records” to include sub-section 15.2 “Data Retention Period for Audit Logs”<o:p></o:p></p>
<p class="xmsolistparagraph" style="margin-left:1.0in;text-indent:-.25in">Update section 15.2 to no longer reference Baseline Requirements section 5.4.3 and defined a specific retention period for CA, subscriber certificate, Timestamp Authority, and security
event data records for at least 2 years<o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in"> <o:p></o:p></p>
<p class="xmsonormal" style="margin-left:.5in">— MOTION ENDS —<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">Thanks,<o:p></o:p></p>
<p class="xmsonormal">Ian<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error,
you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Flists.cabforum.org*2Fmailman*2Flistinfo*2Fcscwg-public&data=04*7C01*7Cianmcm*40microsoft.com*7Ce3bd2ae0dce4468183c108d9737ae5b0*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637667794999582131*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=W4Mjx*2F8lcP*2BWdBj*2BH2QLFP5RCzk9dUWrUpy5YF10r*2Fw*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!FJ-Y8qCqXTj2!NWv1K7HGvAxUABiMxdfaCMe3GpkaaPtdGr0fmyfxRX1KGs0uZ0T8Jv4ZKzUod_xeotA$">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Flists.cabforum.org*2Fmailman*2Flistinfo*2Fcscwg-public&data=04*7C01*7Cianmcm*40microsoft.com*7Ce3bd2ae0dce4468183c108d9737ae5b0*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637667794999592071*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=*2FIS2jPWsYInBSK*2BbNmi1sAoCWd9DeVIdbKFnR5uND8c*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUl!!FJ-Y8qCqXTj2!NWv1K7HGvAxUABiMxdfaCMe3GpkaaPtdGr0fmyfxRX1KGs0uZ0T8Jv4ZKzUoO7alsFk$">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
</div>
</body>
</html>