<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<pre>This is an update to the original SC28, with some text which addresses (hopefully) the issues raised by Ryan and others.</pre>
<pre>The amended discussion document is attached to this email.</pre>
<pre>Principal changes:</pre>
<pre>1) A definition of Certificate Profile</pre>
<pre>2) A requirement to retain logs of Certificate Profiles for as long as the CA to which they are attached lives</pre>
<pre>3) An amendment which states that the requirement to log CA lifecycle events lives as long as any CA private key, or the longest lived certificate associated with that key - whichever is the longer lived component.
</pre>
<pre>4) A requirement to log software installation/update/removal on CA systems [just in case there are people out there who don't think that a system description which only describes the hardware is adequate!]</pre>
<pre class="moz-quote-pre" wrap="">Updated redline: <a class="moz-txt-link-freetext" href="https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:5480a95">https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:5480a95</a><pre><span style="color: rgb(0, 0, 0); font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"></span></pre><span style="color: rgb(0, 0, 0); font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;"><tt>Feedback still very welcome,</tt><tt>
</tt><tt>
</tt><tt>Neil
</tt>---
</span>This continues the discussion period for the Ballot SC28: Logging and Log
Retention
Purpose of Ballot:
The proposed changes seek to clarify the relationship between audit
logging obligations under Network and Certification System Security
Requirements and Baseline Requirements and to reduce the retention
period for log data, when appropriate. The proposed change also provides
clarification by specifically cross-referencing the Baseline Requirements.
The current log retention requirements for subscriber certificates
require certificate validation and certificate activity to be retained
for seven years, while the lifetime of a certificate is only two years.
There does not seem to be a justification for retaining logs three times
as long as the lifetime of the certificate. As certificate lifetimes
move to one year this further supports a reduction in log retention;
this ballot proposes a sorting of the logged events into logical
categories, together with a requirement of CAs to retain the data for
two years after the event has passed (as opposed to the blanket seven
years which exists as a duty currently).
The benefit of this ballot is to reduce data retention requirements for
those log elements which most CAs consider as having limited long-term
value. As an example, firewall and router activity logs are of
significant size and thus impose significant storage requirements. These
logs serve a benefit when investigating a potential security event,
however, these logs lose value with the passage of time. Logs containing
firewall traffic that is several years old provide little value in the
investigation of a contemporary incident. Additionally, certificate
validation and issuance logs have little value after a certificate has
expired. The log size for many CAs is measured in terabytes, each year
and the overhead of storing these logs and monitoring for compliance is
significant. The benefit for reducing retention is considered high.
The dicussion document which forms the basis of the ballot is attached
as a PDF to this email - previous attempts to link to the Google Drive
document ran up against permission problems in the past.
Proposal
The following ballot is proposed by Neil Dunbar of TrustCor Systems and
endorsed by Trevoli Ponds-White of Amazon and Dustin Hollenback of
Microsoft.</pre>
<pre><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt;">*— MOTION BEGINS —*</p><pre dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt;">Delete the following Section 5.4.1. from the “Baseline Requirements for
the Issuance and Management of Publicly-Trusted Certificates”, version
1.6.7, which currently reads as follows:</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:12pt;">The CA and each Delegated Third Party SHALL record details of the
actions taken to process a certificate request and to issue a
Certificate, including all information generated and documentation
received in connection with the certificate request; the time and date;
and the personnel involved. The CA SHALL make these records available
to its Qualified Auditor as proof of the CA’s compliance with these
Requirements.</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 24pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">The CA SHALL record at least the following events:</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 24pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;"> 1. CA key lifecycle management events, including: </pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">a. Key generation, backup, storage, recovery, archival,
and destruction; and </pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">b. Cryptographic device lifecycle management events. </pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 24pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">2. CA and Subscriber Certificate lifecycle management events, including:</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">a. Certificate requests, issuance, renewal, and re-key requests,
and revocation;</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">b. All verification activities stipulated in these Requirements
and the CA’s Certification Practice Statement;</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">c. Date, time, phone number used, persons spoken to, and end
results of verification telephone calls;</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">d. Acceptance and rejection of certificate requests; Frequency
of Processing Log</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">e. Issuance of Certificates; and</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">f. Generation of Certificate Revocation Lists and OCSP entries.</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 24pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">3. Security events, including:</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">a. Successful and unsuccessful PKI system access attempts;</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">b. PKI and security system actions performed;</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">c. Security profile changes;</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">d. System crashes, hardware failures, and other anomalies;</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">e. Firewall and router activities; and</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 60pt;text-indent: -24pt;margin-top:12pt;margin-bottom:12pt;padding:0pt 0pt 0pt 24pt;">f. Entries to and exits from the CA facility.</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:12pt;margin-bottom:12pt;">Insert in Section 1.6.1 (Definitions) of the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted Certificates”, the following (after
the definition of “Certification Practice Statement”):</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:12pt;margin-bottom:12pt;">Certificate Profile: A set of documents or files that defines requirements for
Certificate content and Certificate extensions in accordance with Section 7 of
the Baseline Requirements. e.g. a Section in a CA’s CPS or a certificate
template file used by CA software.</pre><pre dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt;">Insert, as Section 5.4.1. (Types of events recorded) of the “Baseline Requirements
for the Issuance and Management of Publicly-Trusted Certificates”, the following:</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;">Section 5.4.1</pre><pre>
</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:12pt;">The CA and each Delegated Third Party SHALL record details of the actions taken
to process a certificate request and to issue a Certificate, including all information
generated and documentation received in connection with the certificate request;
the time and date; and the personnel involved. The CA SHALL make these records
available to its Qualified Auditor as proof of the CA’s compliance with these
Requirements.</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:12pt;">The CA SHALL record at least the following events:</pre><ol style="margin-top:0;margin-bottom:0;"><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">CA certificate and key lifecycle events, including:</pre></li><ol style="margin-top:0;margin-bottom:0;"><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Key generation, backup, storage, recovery, archival, and destruction; </pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Certificate requests, renewal, and re-key requests, and revocation;</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Approval and rejection of certificate requests; </pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Cryptographic device lifecycle management events;</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Generation of Certificate Revocation Lists and OCSP entries;</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.</pre></li></ol><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Subscriber Certificate lifecycle management events, including:</pre></li><ol style="margin-top:0;margin-bottom:0;"><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Certificate requests, renewal, and re-key requests, and revocation;</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">All verification activities stipulated in these Requirements and the CA's Certification Practice Statement;</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Approval and rejection of certificate requests; </pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Issuance of Certificates; and</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Generation of Certificate Revocation Lists and OCSP entries.</pre></li></ol><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Security events, including:</pre></li><ol style="margin-top:0;margin-bottom:0;"><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Successful and unsuccessful PKI system access attempts;</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">PKI and security system actions performed;</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Security profile changes;</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Installation, update and removal of software on a Certificate System; </pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">System crashes, hardware failures, and other anomalies;</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Firewall and router activities; and</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:12pt;" role="presentation">Entries to and exits from the CA facility.</pre></li></ol></ol><pre dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt;">Delete the following Section 5.4.3. from the “Baseline Requirements for the Issuance
and Management of Publicly-Trusted Certificates”, version 1.6.7, which currently
reads as follows:</pre><pre dir="ltr" style="line-height:1.38;margin-left: 35.43307086614173pt;margin-top:0pt;margin-bottom:10pt;">The CA SHALL retain any audit logs generated for at least seven years. The CA
SHALL make these audit logs available to its Qualified Auditor upon request.</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;">Insert, as Section 5.4.3. Retention Period for Audit Logs of the “Baseline Requirements
for the Issuance and Management of Publicly-Trusted Certificates”, the following:
</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-left: 36pt;margin-top:0pt;margin-bottom:0pt;">The CA SHALL retain, for at least two years:
</pre><ol style="margin-top:0;margin-bottom:0;"><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;margin-left: 36pt;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">CA certificate and key lifecycle management event records (as set forth in Section 5.4.1 (1)) after either:</pre></li><ol style="margin-top:0;margin-bottom:0;"><li dir="ltr" style="list-style-type:lower-alpha;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;margin-left: 36pt;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">the destruction of the CA Private Key; or</pre></li><li dir="ltr" style="list-style-type:lower-alpha;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;margin-left: 36pt;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 basicConstraints extension with the cA field set to true and which share a common Public Key corresponding to the CA Private Key, whichever event occurs later. </pre></li></ol><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;margin-left: 36pt;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1 (2)) after the revocation or expiration of the Subscriber Certificate.</pre></li><li dir="ltr" style="list-style-type:decimal;font-size:11pt;font-family:Roboto,sans-serif;color:#000000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;margin-left: 36pt;"><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;" role="presentation">Any security event records (as set forth in Section 5.4.1 (3)) after the event occurred. </pre></li></ol><pre>
</pre><pre dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt;">Delete from “Network and Certificate Systems Security Requirements”, Version 1.3,
Section 3.b</pre><pre dir="ltr" style="line-height:1.38;margin-left: 35.43307086614173pt;margin-top:0pt;margin-bottom:12pt;">b. Identify those Certificate Systems under the control of CA or Delegated
Third Party Trusted Roles capable of monitoring and logging system activity
and enable those systems to continuously monitor and log system activity;</pre><pre dir="ltr" style="line-height:1.3800000000000001;margin-top:0pt;margin-bottom:0pt;">Insert new “Network and Certificate Systems Security Requirements”, Version 1.3,
Section 3.b with the following text:
</pre><pre dir="ltr" style="line-height:1.38;margin-left: 36pt;margin-top:0pt;margin-bottom:10pt;">b. Identify those Certificate Systems under the control of CA or Delegated
Third Party Trusted Roles capable of monitoring and logging system activity,
and enable those systems to log and continuously monitor the events specified
in Section 5.4.1 (3) of the Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates;</pre><pre><b style="font-weight:normal;" id="docs-internal-guid-7197c637-7fff-b00b-d9bd-a35dc4b54b74"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:10pt;"><span style="font-size: 11pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">*— MOTION ENDS —*</span></p></b></pre></pre>
<div class="moz-cite-prefix">
<pre>Discussion (7+ days)
Start Time: 2020-06-17 17:00:00 UTC
End Time: 2020-06-24 17:00:00 UTC
Vote for approval (7 days)
Start Time : TBD
End Time: TBD
</pre>
</div>
</body>
</html>