<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:微软雅黑;
panose-1:2 11 5 3 2 2 4 2 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"\@微软雅黑";
panose-1:2 11 5 3 2 2 4 2 2 4;}
@font-face
{font-family:Roboto;
panose-1:2 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:宋体;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:宋体;}
pre
{mso-style-priority:99;
mso-style-link:"HTML 预设格式 Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:宋体;}
span.HTMLChar
{mso-style-name:"HTML 预设格式 Char";
mso-style-priority:99;
mso-style-link:"HTML 预设格式";
font-family:"Courier New";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:552085076;
mso-list-template-ids:1261201034;}
@list l1
{mso-list-id:1799227917;
mso-list-template-ids:1834897080;}
@list l0:level2 lfo3
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0cm;
text-indent:0cm;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-CN link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'>GDCA votes YES on Ballot SC28v6.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks.<o:p></o:p></span></p><div><div class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"微软雅黑","sans-serif";color:black'><hr size=1 width=210 style='width:157.5pt' noshade style='color:#B5C4DF' align=left></span></div><p class=MsoNormal style='text-align:justify;text-justify:inter-ideograph'><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best regards,<o:p></o:p></span></p><p class=MsoNormal style='text-align:justify;text-justify:inter-ideograph'><b><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'>Xiu Lei<o:p></o:p></span></b></p><p class=MsoNormal style='text-align:justify;text-justify:inter-ideograph'><b><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'>Security Policy Committee<o:p></o:p></span></b></p><p class=MsoNormal style='text-align:justify;text-justify:inter-ideograph'><b><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'>Global Digital Cybersecurity Authority CO., LTD. (GDCA)</span></b><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal style='text-align:justify;text-justify:inter-ideograph'><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="http://www.gdca.com.cn">http://www.gdca.com.cn</a> <o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt'>发件人<span lang=EN-US>:</span></span></b><span lang=EN-US style='font-size:10.0pt'> servercert-wg-bounces@cabforum.org [mailto:servercert-wg-bounces@cabforum.org] </span><b><span style='font-size:10.0pt'>代表 </span></b><span lang=EN-US style='font-size:10.0pt'>Neil Dunbar via Servercert-wg<br></span><b><span style='font-size:10.0pt'>发送时间<span lang=EN-US>:</span></span></b><span lang=EN-US style='font-size:10.0pt'> 2020</span><span style='font-size:10.0pt'>年<span lang=EN-US>9</span>月<span lang=EN-US>3</span>日<span lang=EN-US> 20:23<br></span><b>收件人<span lang=EN-US>:</span></b><span lang=EN-US> servercert-wg@cabforum.org<br></span><b>主题<span lang=EN-US>:</span></b><span lang=EN-US> [Servercert-wg] VOTING BEGINS: SC28v6 - Logging and Log Retention<o:p></o:p></span></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p><span lang=EN-US>This begins the voting period for ballot SC28: Logging and Log Retention.<o:p></o:p></span></p><p><span lang=EN-US>The ballot has been in heartbeat for some time - hopefully CAs have had the time to look at the issues within during this extended discussion period.<o:p></o:p></span></p><p><span lang=EN-US>[The discussion document is attached to this email]<o:p></o:p></span></p><pre><span lang=EN-US>Current redline: <a href="https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad">https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad</a><o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>Purpose of Ballot:<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>The proposed changes seek to clarify the relationship between audit<o:p></o:p></span></pre><pre><span lang=EN-US>logging obligations under Network and Certification System Security<o:p></o:p></span></pre><pre><span lang=EN-US>Requirements and Baseline Requirements and to reduce the retention<o:p></o:p></span></pre><pre><span lang=EN-US>period for log data, when appropriate. The proposed change also provides<o:p></o:p></span></pre><pre><span lang=EN-US>clarification by specifically cross-referencing the Baseline Requirements.<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>The current log retention requirements for subscriber certificates<o:p></o:p></span></pre><pre><span lang=EN-US>require certificate validation and certificate activity to be retained<o:p></o:p></span></pre><pre><span lang=EN-US>for seven years, while the lifetime of a certificate is only two years.<o:p></o:p></span></pre><pre><span lang=EN-US>There does not seem to be a justification for retaining logs three times<o:p></o:p></span></pre><pre><span lang=EN-US>as long as the lifetime of the certificate. As certificate lifetimes<o:p></o:p></span></pre><pre><span lang=EN-US>move to one year this further supports a reduction in log retention;<o:p></o:p></span></pre><pre><span lang=EN-US>this ballot proposes a sorting of the logged events into logical<o:p></o:p></span></pre><pre><span lang=EN-US>categories, together with a requirement of CAs to retain the data for<o:p></o:p></span></pre><pre><span lang=EN-US>two years after the event has passed (as opposed to the blanket seven<o:p></o:p></span></pre><pre><span lang=EN-US>years which exists as a duty currently).<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>The benefit of this ballot is to reduce data retention requirements for<o:p></o:p></span></pre><pre><span lang=EN-US>those log elements which most CAs consider as having limited long-term<o:p></o:p></span></pre><pre><span lang=EN-US>value. As an example, firewall and router activity logs are of<o:p></o:p></span></pre><pre><span lang=EN-US>significant size and thus impose significant storage requirements. These<o:p></o:p></span></pre><pre><span lang=EN-US>logs serve a benefit when investigating a potential security event,<o:p></o:p></span></pre><pre><span lang=EN-US>however, these logs lose value with the passage of time. Logs containing<o:p></o:p></span></pre><pre><span lang=EN-US>firewall traffic that is several years old provide little value in the<o:p></o:p></span></pre><pre><span lang=EN-US>investigation of a contemporary incident. Additionally, certificate<o:p></o:p></span></pre><pre><span lang=EN-US>validation and issuance logs have little value after a certificate has<o:p></o:p></span></pre><pre><span lang=EN-US>expired. The log size for many CAs is measured in terabytes, each year<o:p></o:p></span></pre><pre><span lang=EN-US>and the overhead of storing these logs and monitoring for compliance is<o:p></o:p></span></pre><pre><span lang=EN-US>significant. The benefit for reducing retention is considered high.<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>The dicussion document which forms the basis of the ballot is attached<o:p></o:p></span></pre><pre><span lang=EN-US>as a PDF to this email - previous attempts to link to the Google Drive<o:p></o:p></span></pre><pre><span lang=EN-US>document ran up against permission problems in the past.<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>Proposal<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>The following ballot is proposed by Neil Dunbar of TrustCor Systems and<o:p></o:p></span></pre><pre><span lang=EN-US>endorsed by Trevoli Ponds-White of Amazon and Dustin Hollenback of<o:p></o:p></span></pre><pre><span lang=EN-US>Microsoft.<o:p></o:p></span></pre><p style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:0cm'><span lang=EN-US>*— MOTION BEGINS —*<o:p></o:p></span></p><pre style='margin-bottom:10.0pt'><span lang=EN-US>Delete the following Section 5.4.1. from the “Baseline Requirements for<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>the Issuance and Management of Publicly-Trusted Certificates”, version<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>1.6.7, which currently reads as follows:<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>The CA and each Delegated Third Party SHALL record details of the<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>actions taken to process a certificate request and to issue a<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>Certificate, including all information generated and documentation<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>received in connection with the certificate request; the time and date;<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>and the personnel involved. The CA SHALL make these records available<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>to its Qualified Auditor as proof of the CA’s compliance with these<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>Requirements.<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt'><span lang=EN-US>The CA SHALL record at least the following events:<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt'><span lang=EN-US> 1. CA key lifecycle management events, including: <o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>a. Key generation, backup, storage, recovery, archival,<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>and destruction; and <o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>b. Cryptographic device lifecycle management events. <o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt'><span lang=EN-US>2. CA and Subscriber Certificate lifecycle management events, including:<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>a. Certificate requests, issuance, renewal, and re-key requests,<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US> and revocation;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>b. All verification activities stipulated in these Requirements<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US> and the CA’s Certification Practice Statement;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>c. Date, time, phone number used, persons spoken to, and end<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US> results of verification telephone calls;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>d. Acceptance and rejection of certificate requests; Frequency<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US> of Processing Log<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>e. Issuance of Certificates; and<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>f. Generation of Certificate Revocation Lists and OCSP entries.<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt'><span lang=EN-US>3. Security events, including:<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>a. Successful and unsuccessful PKI system access attempts;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>b. PKI and security system actions performed;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>c. Security profile changes;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>d. System crashes, hardware failures, and other anomalies;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>e. Firewall and router activities; and<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>f. Entries to and exits from the CA facility.<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>Insert in Section 1.6.1 (Definitions) of the “Baseline Requirements for the<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>Issuance and Management of Publicly-Trusted Certificates”, the following (after<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>the definition of “Certification Practice Statement”):<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>Certificate Profile: A set of documents or files that defines requirements for<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>Certificate content and Certificate extensions in accordance with Section 7 of<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>the Baseline Requirements. e.g. a Section in a CA’s CPS or a certificate<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>template file used by CA software.<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>Insert, as Section 5.4.1. (Types of events recorded) of the “Baseline Requirements<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>for the Issuance and Management of Publicly-Trusted Certificates”, the following:<o:p></o:p></span></pre><pre><span lang=EN-US>Section 5.4.1<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>The CA and each Delegated Third Party SHALL record details of the actions taken<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>to process a certificate request and to issue a Certificate, including all information<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>generated and documentation received in connection with the certificate request;<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>the time and date; and the personnel involved. The CA SHALL make these records<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>available to its Qualified Auditor as proof of the CA’s compliance with these<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>Requirements.<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>The CA SHALL record at least the following events:<o:p></o:p></span></pre><pre style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l1 level1 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>CA certificate and key lifecycle events, including:<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Key generation, backup, storage, recovery, archival, and destruction; <o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Certificate requests, renewal, and re-key requests, and revocation;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Approval and rejection of certificate requests; <o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Cryptographic device lifecycle management events;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Generation of Certificate Revocation Lists and OCSP entries;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.<o:p></o:p></span></pre><pre style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l1 level1 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Subscriber Certificate lifecycle management events, including:<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Certificate requests, renewal, and re-key requests, and revocation;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>All verification activities stipulated in these Requirements and the CA's Certification Practice Statement;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Approval and rejection of certificate requests; <o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Issuance of Certificates; and<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Generation of Certificate Revocation Lists and OCSP entries.<o:p></o:p></span></pre><pre style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l1 level1 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Security events, including:<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Successful and unsuccessful PKI system access attempts;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>PKI and security system actions performed;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Security profile changes;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Installation, update and removal of software on a Certificate System; <o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>System crashes, hardware failures, and other anomalies;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Firewall and router activities; and<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo1;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>7.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Entries to and exits from the CA facility.<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>Delete the following Section 5.4.3. from the “Baseline Requirements for the Issuance<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>and Management of Publicly-Trusted Certificates”, version 1.6.7, which currently<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>reads as follows:<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:35.45pt'><span lang=EN-US>The CA SHALL retain any audit logs generated for at least seven years. The CA<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:35.45pt'><span lang=EN-US>SHALL make these audit logs available to its Qualified Auditor upon request.<o:p></o:p></span></pre><pre><span lang=EN-US>Insert, as Section 5.4.3. Retention Period for Audit Logs of the “Baseline Requirements<o:p></o:p></span></pre><pre><span lang=EN-US>for the Issuance and Management of Publicly-Trusted Certificates”, the following:<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US>The CA SHALL retain, for at least two years:<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US><o:p> </o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>CA certificate and key lifecycle management event records (as set forth in Section 5.4.1 (1)) after the later occurrence of:<o:p></o:p></span></pre><pre style='margin-left:108.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo3;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>a.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>the destruction of the CA Private Key; or<o:p></o:p></span></pre><pre style='margin-left:108.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo3;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>b.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 basicConstraints extension with the cA field set to true and which share a common Public Key corresponding to the CA Private Key; <o:p></o:p></span></pre><pre style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:108.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo3;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='font-size:11.0pt;font-family:Roboto;color:black'><span style='mso-list:Ignore'>c.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-size:11.0pt;font-family:Roboto;color:black'><o:p> </o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo3;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1 (2)) after the revocation or expiration of the Subscriber Certificate.<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo3;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Any security event records (as set forth in Section 5.4.1 (3)) after the event occurred. <o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>Delete from “Network and Certificate Systems Security Requirements”, Version 1.3,<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>Section 3.b<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.45pt'><span lang=EN-US>b. Identify those Certificate Systems under the control of CA or Delegated<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.45pt'><span lang=EN-US> Third Party Trusted Roles capable of monitoring and logging system activity<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.45pt'><span lang=EN-US> and enable those systems to continuously monitor and log system activity;<o:p></o:p></span></pre><pre><span lang=EN-US>Insert new “Network and Certificate Systems Security Requirements”, Version 1.3,<o:p></o:p></span></pre><pre><span lang=EN-US>Section 3.b with the following text:<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:36.0pt'><span lang=EN-US>b. Identify those Certificate Systems under the control of CA or Delegated<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:36.0pt'><span lang=EN-US> Third Party Trusted Roles capable of monitoring and logging system activity,<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:36.0pt'><span lang=EN-US> and enable those systems to log and continuously monitor the events specified<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:36.0pt'><span lang=EN-US> in Section 5.4.1 (3) of the Baseline Requirements for the Issuance and<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:36.0pt'><span lang=EN-US> Management of Publicly-Trusted Certificates;<o:p></o:p></span></pre><p style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:0cm'><span lang=EN-US style='font-size:11.0pt;color:black'>*— MOTION ENDS —*</span><span lang=EN-US><o:p></o:p></span></p><div><pre><span lang=EN-US>Discussion (7+ days)<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>Start Time: 2020-07-10 17:00:00 UTC<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>End Time: 2020-08-28 17:00:00 UTC<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>Vote for approval (7 days)<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>Start Time : 2020-09-03 17:00:00 UTC<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>End Time: 2020-09-10 17:00:00 UTC<o:p></o:p></span></pre></div></div></body></html>