<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Roboto;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1858034049;
mso-list-template-ids:-137956508;}
@list l1
{mso-list-id:1944919215;
mso-list-template-ids:628367492;}
@list l0:level2 lfo3
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Amazon Trust Services votes Yes for SC28v6<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Servercert-wg <servercert-wg-bounces@cabforum.org>
<b>On Behalf Of </b>Neil Dunbar via Servercert-wg<br>
<b>Sent:</b> Thursday, September 3, 2020 5:23<br>
<b>To:</b> servercert-wg@cabforum.org<br>
<b>Subject:</b> [EXTERNAL] [Servercert-wg] VOTING BEGINS: SC28v6 - Logging and Log Retention<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr style="height:15.25pt">
<td width="706" valign="top" style="width:842.35pt;border:solid #ED7D31 1.5pt;padding:0in 5.4pt 0in 5.4pt;height:15.25pt">
<p><strong><span style="background:#FFFF99">CAUTION</span></strong><span style="background:#FFFF99">: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p>This begins the voting period for ballot SC28: Logging and Log Retention.<o:p></o:p></p>
<p>The ballot has been in heartbeat for some time - hopefully CAs have had the time to look at the issues within during this extended discussion period.<o:p></o:p></p>
<p>[The discussion document is attached to this email]<o:p></o:p></p>
<pre>Current redline: <a href="https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad">https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad</a><o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Purpose of Ballot:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>The proposed changes seek to clarify the relationship between audit<o:p></o:p></pre>
<pre>logging obligations under Network and Certification System Security<o:p></o:p></pre>
<pre>Requirements and Baseline Requirements and to reduce the retention<o:p></o:p></pre>
<pre>period for log data, when appropriate. The proposed change also provides<o:p></o:p></pre>
<pre>clarification by specifically cross-referencing the Baseline Requirements.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>The current log retention requirements for subscriber certificates<o:p></o:p></pre>
<pre>require certificate validation and certificate activity to be retained<o:p></o:p></pre>
<pre>for seven years, while the lifetime of a certificate is only two years.<o:p></o:p></pre>
<pre>There does not seem to be a justification for retaining logs three times<o:p></o:p></pre>
<pre>as long as the lifetime of the certificate. As certificate lifetimes<o:p></o:p></pre>
<pre>move to one year this further supports a reduction in log retention;<o:p></o:p></pre>
<pre>this ballot proposes a sorting of the logged events into logical<o:p></o:p></pre>
<pre>categories, together with a requirement of CAs to retain the data for<o:p></o:p></pre>
<pre>two years after the event has passed (as opposed to the blanket seven<o:p></o:p></pre>
<pre>years which exists as a duty currently).<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>The benefit of this ballot is to reduce data retention requirements for<o:p></o:p></pre>
<pre>those log elements which most CAs consider as having limited long-term<o:p></o:p></pre>
<pre>value. As an example, firewall and router activity logs are of<o:p></o:p></pre>
<pre>significant size and thus impose significant storage requirements. These<o:p></o:p></pre>
<pre>logs serve a benefit when investigating a potential security event,<o:p></o:p></pre>
<pre>however, these logs lose value with the passage of time. Logs containing<o:p></o:p></pre>
<pre>firewall traffic that is several years old provide little value in the<o:p></o:p></pre>
<pre>investigation of a contemporary incident. Additionally, certificate<o:p></o:p></pre>
<pre>validation and issuance logs have little value after a certificate has<o:p></o:p></pre>
<pre>expired. The log size for many CAs is measured in terabytes, each year<o:p></o:p></pre>
<pre>and the overhead of storing these logs and monitoring for compliance is<o:p></o:p></pre>
<pre>significant. The benefit for reducing retention is considered high.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>The dicussion document which forms the basis of the ballot is attached<o:p></o:p></pre>
<pre>as a PDF to this email - previous attempts to link to the Google Drive<o:p></o:p></pre>
<pre>document ran up against permission problems in the past.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Proposal<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>The following ballot is proposed by Neil Dunbar of TrustCor Systems and<o:p></o:p></pre>
<pre>endorsed by Trevoli Ponds-White of Amazon and Dustin Hollenback of<o:p></o:p></pre>
<pre>Microsoft.<o:p></o:p></pre>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:0in">
<span style="font-size:10.0pt;font-family:"Courier New"">*— MOTION BEGINS —*<o:p></o:p></span></p>
<pre style="margin-bottom:10.0pt">Delete the following Section 5.4.1. from the “Baseline Requirements for<o:p></o:p></pre>
<pre style="margin-bottom:10.0pt">the Issuance and Management of Publicly-Trusted Certificates”, version<o:p></o:p></pre>
<pre style="margin-bottom:10.0pt">1.6.7, which currently reads as follows:<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">The CA and each Delegated Third Party SHALL record details of the<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">actions taken to process a certificate request and to issue a<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">Certificate, including all information generated and documentation<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">received in connection with the certificate request; the time and date;<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">and the personnel involved. The CA SHALL make these records available<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">to its Qualified Auditor as proof of the CA’s compliance with these<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">Requirements.<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt">The CA SHALL record at least the following events:<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt"> 1. CA key lifecycle management events, including: <o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">a. Key generation, backup, storage, recovery, archival,<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">and destruction; and <o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">b. Cryptographic device lifecycle management events. <o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt">2. CA and Subscriber Certificate lifecycle management events, including:<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">a. Certificate requests, issuance, renewal, and re-key requests,<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt"> and revocation;<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">b. All verification activities stipulated in these Requirements<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt"> and the CA’s Certification Practice Statement;<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">c. Date, time, phone number used, persons spoken to, and end<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt"> results of verification telephone calls;<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">d. Acceptance and rejection of certificate requests; Frequency<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt"> of Processing Log<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">e. Issuance of Certificates; and<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">f. Generation of Certificate Revocation Lists and OCSP entries.<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt">3. Security events, including:<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">a. Successful and unsuccessful PKI system access attempts;<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">b. PKI and security system actions performed;<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">c. Security profile changes;<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">d. System crashes, hardware failures, and other anomalies;<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">e. Firewall and router activities; and<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt">f. Entries to and exits from the CA facility.<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">Insert in Section 1.6.1 (Definitions) of the “Baseline Requirements for the<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">Issuance and Management of Publicly-Trusted Certificates”, the following (after<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">the definition of “Certification Practice Statement”):<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">Certificate Profile: A set of documents or files that defines requirements for<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">Certificate content and Certificate extensions in accordance with Section 7 of<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">the Baseline Requirements. e.g. a Section in a CA’s CPS or a certificate<o:p></o:p></pre>
<pre style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">template file used by CA software.<o:p></o:p></pre>
<pre style="margin-bottom:10.0pt">Insert, as Section 5.4.1. (Types of events recorded) of the “Baseline Requirements<o:p></o:p></pre>
<pre style="margin-bottom:10.0pt">for the Issuance and Management of Publicly-Trusted Certificates”, the following:<o:p></o:p></pre>
<pre>Section 5.4.1<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">The CA and each Delegated Third Party SHALL record details of the actions taken<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">to process a certificate request and to issue a Certificate, including all information<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">generated and documentation received in connection with the certificate request;<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">the time and date; and the personnel involved. The CA SHALL make these records<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">available to its Qualified Auditor as proof of the CA’s compliance with these<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">Requirements.<o:p></o:p></pre>
<pre style="margin-bottom:12.0pt">The CA SHALL record at least the following events:<o:p></o:p></pre>
<pre style="margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">CA certificate and key lifecycle events, including:<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Key generation, backup, storage, recovery, archival, and destruction; <o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Certificate requests, renewal, and re-key requests, and revocation;<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Approval and rejection of certificate requests; <o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Cryptographic device lifecycle management events;<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Generation of Certificate Revocation Lists and OCSP entries;<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">6.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.<o:p></o:p></span></pre>
<pre style="margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Subscriber Certificate lifecycle management events, including:<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Certificate requests, renewal, and re-key requests, and revocation;<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">All verification activities stipulated in these Requirements and the CA's Certification Practice Statement;<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Approval and rejection of certificate requests; <o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Issuance of Certificates; and<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Generation of Certificate Revocation Lists and OCSP entries.<o:p></o:p></span></pre>
<pre style="margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Security events, including:<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Successful and unsuccessful PKI system access attempts;<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">PKI and security system actions performed;<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Security profile changes;<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Installation, update and removal of software on a Certificate System; <o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">System crashes, hardware failures, and other anomalies;<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">6.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Firewall and router activities; and<o:p></o:p></span></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo1;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">7.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Entries to and exits from the CA facility.<o:p></o:p></span></pre>
<pre style="margin-bottom:10.0pt">Delete the following Section 5.4.3. from the “Baseline Requirements for the Issuance<o:p></o:p></pre>
<pre style="margin-bottom:10.0pt">and Management of Publicly-Trusted Certificates”, version 1.6.7, which currently<o:p></o:p></pre>
<pre style="margin-bottom:10.0pt">reads as follows:<o:p></o:p></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:35.45pt">The CA SHALL retain any audit logs generated for at least seven years. The CA<o:p></o:p></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:35.45pt">SHALL make these audit logs available to its Qualified Auditor upon request.<o:p></o:p></pre>
<pre>Insert, as Section 5.4.3. Retention Period for Audit Logs of the “Baseline Requirements<o:p></o:p></pre>
<pre>for the Issuance and Management of Publicly-Trusted Certificates”, the following:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre style="margin-left:.5in">The CA SHALL retain, for at least two years:<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo2;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">CA certificate and key lifecycle management event records (as set forth in Section 5.4.1 (1)) after the later occurrence of:<o:p></o:p></span></pre>
<pre style="margin-left:2.0in;text-indent:-.25in;mso-list:l0 level2 lfo3;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">the destruction of the CA Private Key; or<o:p></o:p></span></pre>
<pre style="margin-left:2.0in;text-indent:-.25in;mso-list:l0 level2 lfo3;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 basicConstraints extension with the cA field set to true and which share a common Public Key corresponding to the CA Private Key; <o:p></o:p></span></pre>
<pre style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:2.0in;text-indent:-.25in;mso-list:l0 level2 lfo3;vertical-align:baseline"><![if !supportLists]><span style="font-size:11.0pt;font-family:Roboto;color:black"><span style="mso-list:Ignore">c.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="font-size:11.0pt;font-family:Roboto;color:black"><o:p> </o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo3;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1 (2)) after the revocation or expiration of the Subscriber Certificate.<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo3;vertical-align:baseline"><![if !supportLists]><span style="color:black"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman""> </span></span></span><![endif]><span style="color:black">Any security event records (as set forth in Section 5.4.1 (3)) after the event occurred. <o:p></o:p></span></pre>
<pre style="margin-bottom:10.0pt">Delete from “Network and Certificate Systems Security Requirements”, Version 1.3,<o:p></o:p></pre>
<pre style="margin-bottom:10.0pt">Section 3.b<o:p></o:p></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:35.45pt">b. Identify those Certificate Systems under the control of CA or Delegated<o:p></o:p></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:35.45pt"> Third Party Trusted Roles capable of monitoring and logging system activity<o:p></o:p></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:35.45pt"> and enable those systems to continuously monitor and log system activity;<o:p></o:p></pre>
<pre>Insert new “Network and Certificate Systems Security Requirements”, Version 1.3,<o:p></o:p></pre>
<pre>Section 3.b with the following text:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:.5in">b. Identify those Certificate Systems under the control of CA or Delegated<o:p></o:p></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:.5in"> Third Party Trusted Roles capable of monitoring and logging system activity,<o:p></o:p></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:.5in"> and enable those systems to log and continuously monitor the events specified<o:p></o:p></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:.5in"> in Section 5.4.1 (3) of the Baseline Requirements for the Issuance and<o:p></o:p></pre>
<pre style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:.5in"> Management of Publicly-Trusted Certificates;<o:p></o:p></pre>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:0in">
<span style="font-size:11.0pt;font-family:"Courier New";color:black">*— MOTION ENDS —*</span><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<div>
<pre>Discussion (7+ days)<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Start Time: 2020-07-10 17:00:00 UTC<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>End Time: 2020-08-28 17:00:00 UTC<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Vote for approval (7 days)<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Start Time : 2020-09-03 17:00:00 UTC<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>End Time: 2020-09-10 17:00:00 UTC<o:p></o:p></pre>
</div>
</div>
</div>
</body>
</html>