<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:細明體;
panose-1:2 2 5 9 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@新細明體";
panose-1:2 1 6 1 0 1 1 1 1 1;}
@font-face
{font-family:"\@細明體";
panose-1:2 1 6 9 0 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"新細明體",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"新細明體",serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML 預設格式 字元";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:細明體;}
span.HTML
{mso-style-name:"HTML 預設格式 字元";
mso-style-priority:99;
mso-style-link:"HTML 預設格式";
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"新細明體",serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:324862054;
mso-list-template-ids:-328967462;}
@list l0:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:2097558001;
mso-list-template-ids:1598748734;}
@list l1:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2 lfo5
{mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0cm;
text-indent:0cm;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-TW link=blue vlink=purple><div class=WordSection1><p><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p><span lang=EN-US style='color:#1F497D'>Chunghwa Telecom votes YES on Ballot SC28v6. <o:p></o:p></span></p><p><span lang=EN-US style='color:#1F497D'> Li-Chun Chen <o:p></o:p></span></p><p align=center style='text-align:center'><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US>Il 03/09/2020 14:22, Neil Dunbar via Servercert-wg ha scritto:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p><span lang=EN-US>This begins the voting period for ballot SC28: Logging and Log Retention.<o:p></o:p></span></p><p><span lang=EN-US>The ballot has been in heartbeat for some time - hopefully CAs have had the time to look at the issues within during this extended discussion period.<o:p></o:p></span></p><p><span lang=EN-US>[The discussion document is attached to this email]<o:p></o:p></span></p><pre><span lang=EN-US>Current redline: <a href="https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad">https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad</a><o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>Purpose of Ballot:<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>The proposed changes seek to clarify the relationship between audit<o:p></o:p></span></pre><pre><span lang=EN-US>logging obligations under Network and Certification System Security<o:p></o:p></span></pre><pre><span lang=EN-US>Requirements and Baseline Requirements and to reduce the retention<o:p></o:p></span></pre><pre><span lang=EN-US>period for log data, when appropriate. The proposed change also provides<o:p></o:p></span></pre><pre><span lang=EN-US>clarification by specifically cross-referencing the Baseline Requirements.<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>The current log retention requirements for subscriber certificates<o:p></o:p></span></pre><pre><span lang=EN-US>require certificate validation and certificate activity to be retained<o:p></o:p></span></pre><pre><span lang=EN-US>for seven years, while the lifetime of a certificate is only two years.<o:p></o:p></span></pre><pre><span lang=EN-US>There does not seem to be a justification for retaining logs three times<o:p></o:p></span></pre><pre><span lang=EN-US>as long as the lifetime of the certificate. As certificate lifetimes<o:p></o:p></span></pre><pre><span lang=EN-US>move to one year this further supports a reduction in log retention;<o:p></o:p></span></pre><pre><span lang=EN-US>this ballot proposes a sorting of the logged events into logical<o:p></o:p></span></pre><pre><span lang=EN-US>categories, together with a requirement of CAs to retain the data for<o:p></o:p></span></pre><pre><span lang=EN-US>two years after the event has passed (as opposed to the blanket seven<o:p></o:p></span></pre><pre><span lang=EN-US>years which exists as a duty currently).<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>The benefit of this ballot is to reduce data retention requirements for<o:p></o:p></span></pre><pre><span lang=EN-US>those log elements which most CAs consider as having limited long-term<o:p></o:p></span></pre><pre><span lang=EN-US>value. As an example, firewall and router activity logs are of<o:p></o:p></span></pre><pre><span lang=EN-US>significant size and thus impose significant storage requirements. These<o:p></o:p></span></pre><pre><span lang=EN-US>logs serve a benefit when investigating a potential security event,<o:p></o:p></span></pre><pre><span lang=EN-US>however, these logs lose value with the passage of time. Logs containing<o:p></o:p></span></pre><pre><span lang=EN-US>firewall traffic that is several years old provide little value in the<o:p></o:p></span></pre><pre><span lang=EN-US>investigation of a contemporary incident. Additionally, certificate<o:p></o:p></span></pre><pre><span lang=EN-US>validation and issuance logs have little value after a certificate has<o:p></o:p></span></pre><pre><span lang=EN-US>expired. The log size for many CAs is measured in terabytes, each year<o:p></o:p></span></pre><pre><span lang=EN-US>and the overhead of storing these logs and monitoring for compliance is<o:p></o:p></span></pre><pre><span lang=EN-US>significant. The benefit for reducing retention is considered high.<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>The dicussion document which forms the basis of the ballot is attached<o:p></o:p></span></pre><pre><span lang=EN-US>as a PDF to this email - previous attempts to link to the Google Drive<o:p></o:p></span></pre><pre><span lang=EN-US>document ran up against permission problems in the past.<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>Proposal<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>The following ballot is proposed by Neil Dunbar of TrustCor Systems and<o:p></o:p></span></pre><pre><span lang=EN-US>endorsed by Trevoli Ponds-White of Amazon and Dustin Hollenback of<o:p></o:p></span></pre><pre><span lang=EN-US>Microsoft.<o:p></o:p></span></pre><p style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:0cm'><span lang=EN-US style='font-family:細明體'>*</span><span style='font-family:細明體'>—<span lang=EN-US> MOTION BEGINS </span>—<span lang=EN-US>*<o:p></o:p></span></span></p><pre style='margin-bottom:10.0pt'><span lang=EN-US>Delete the following Section 5.4.1. from the </span>“<span lang=EN-US>Baseline Requirements for<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>the Issuance and Management of Publicly-Trusted Certificates</span>”<span lang=EN-US>, version<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>1.6.7, which currently reads as follows:<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>The CA and each Delegated Third Party SHALL record details of the<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>actions taken to process a certificate request and to issue a<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>Certificate, including all information generated and documentation<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>received in connection with the certificate request; the time and date;<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>and the personnel involved. The CA SHALL make these records available<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>to its Qualified Auditor as proof of the CA</span>’<span lang=EN-US>s compliance with these<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>Requirements.<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt'><span lang=EN-US>The CA SHALL record at least the following events:<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt'><span lang=EN-US> 1. CA key lifecycle management events, including: <o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>a. Key generation, backup, storage, recovery, archival,<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>and destruction; and <o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>b. Cryptographic device lifecycle management events. <o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt'><span lang=EN-US>2. CA and Subscriber Certificate lifecycle management events, including:<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>a. Certificate requests, issuance, renewal, and re-key requests,<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US> and revocation;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>b. All verification activities stipulated in these Requirements<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US> and the CA</span>’<span lang=EN-US>s Certification Practice Statement;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>c. Date, time, phone number used, persons spoken to, and end<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US> results of verification telephone calls;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>d. Acceptance and rejection of certificate requests; Frequency<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US> of Processing Log<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>e. Issuance of Certificates; and<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>f. Generation of Certificate Revocation Lists and OCSP entries.<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:24.0pt;text-indent:-24.0pt'><span lang=EN-US>3. Security events, including:<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>a. Successful and unsuccessful PKI system access attempts;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>b. PKI and security system actions performed;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>c. Security profile changes;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>d. System crashes, hardware failures, and other anomalies;<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>e. Firewall and router activities; and<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:60.0pt;text-indent:-24.0pt'><span lang=EN-US>f. Entries to and exits from the CA facility.<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>Insert in Section 1.6.1 (Definitions) of the </span>“<span lang=EN-US>Baseline Requirements for the<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>Issuance and Management of Publicly-Trusted Certificates</span>”<span lang=EN-US>, the following (after<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>the definition of </span>“<span lang=EN-US>Certification Practice Statement</span>”<span lang=EN-US>):<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>Certificate Profile: A set of documents or files that defines requirements for<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>Certificate content and Certificate extensions in accordance with Section 7 of<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>the Baseline Requirements. e.g. a Section in a CA</span>’<span lang=EN-US>s CPS or a certificate<o:p></o:p></span></pre><pre style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:0cm'><span lang=EN-US>template file used by CA software.<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>Insert, as Section 5.4.1. (Types of events recorded) of the </span>“<span lang=EN-US>Baseline Requirements<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>for the Issuance and Management of Publicly-Trusted Certificates</span>”<span lang=EN-US>, the following:<o:p></o:p></span></pre><pre><span lang=EN-US>Section 5.4.1<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>The CA and each Delegated Third Party SHALL record details of the actions taken<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>to process a certificate request and to issue a Certificate, including all information<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>generated and documentation received in connection with the certificate request;<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>the time and date; and the personnel involved. The CA SHALL make these records<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>available to its Qualified Auditor as proof of the CA</span>’<span lang=EN-US>s compliance with these<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>Requirements.<o:p></o:p></span></pre><pre style='margin-bottom:12.0pt'><span lang=EN-US>The CA SHALL record at least the following events:<o:p></o:p></span></pre><pre style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>CA certificate and key lifecycle events, including:<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Key generation, backup, storage, recovery, archival, and destruction; <o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Certificate requests, renewal, and re-key requests, and revocation;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Approval and rejection of certificate requests; <o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Cryptographic device lifecycle management events;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Generation of Certificate Revocation Lists and OCSP entries;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.<o:p></o:p></span></pre><pre style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Subscriber Certificate lifecycle management events, including:<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Certificate requests, renewal, and re-key requests, and revocation;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>All verification activities stipulated in these Requirements and the CA's Certification Practice Statement;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Approval and rejection of certificate requests; <o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Issuance of Certificates; and<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Generation of Certificate Revocation Lists and OCSP entries.<o:p></o:p></span></pre><pre style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Security events, including:<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Successful and unsuccessful PKI system access attempts;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>PKI and security system actions performed;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Security profile changes;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Installation, update and removal of software on a Certificate System; <o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>System crashes, hardware failures, and other anomalies;<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Firewall and router activities; and<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo2;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>7.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Entries to and exits from the CA facility.<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>Delete the following Section 5.4.3. from the </span>“<span lang=EN-US>Baseline Requirements for the Issuance<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>and Management of Publicly-Trusted Certificates</span>”<span lang=EN-US>, version 1.6.7, which currently<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>reads as follows:<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:35.45pt'><span lang=EN-US>The CA SHALL retain any audit logs generated for at least seven years. The CA<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:35.45pt'><span lang=EN-US>SHALL make these audit logs available to its Qualified Auditor upon request.<o:p></o:p></span></pre><pre><span lang=EN-US>Insert, as Section 5.4.3. Retention Period for Audit Logs of the </span>“<span lang=EN-US>Baseline Requirements<o:p></o:p></span></pre><pre><span lang=EN-US>for the Issuance and Management of Publicly-Trusted Certificates</span>”<span lang=EN-US>, the following:<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US>The CA SHALL retain, for at least two years:<o:p></o:p></span></pre><pre style='margin-left:36.0pt'><span lang=EN-US><o:p> </o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level1 lfo4;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>CA certificate and key lifecycle management event records (as set forth in Section 5.4.1 (1)) after the later occurrence of:<o:p></o:p></span></pre><pre style='margin-left:108.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo5;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>a.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>the destruction of the CA Private Key; or<o:p></o:p></span></pre><pre style='margin-left:108.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo5;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>b.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 basicConstraints extension with the cA field set to true and which share a common Public Key corresponding to the CA Private Key; <o:p></o:p></span></pre><pre style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:108.0pt;text-indent:-18.0pt;mso-list:l1 level2 lfo5;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='font-size:11.0pt;font-family:"Arial",sans-serif;color:black'><span style='mso-list:Ignore'>c.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-size:11.0pt;font-family:"Arial",sans-serif;color:black'><o:p> </o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level1 lfo5;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1 (2)) after the revocation or expiration of the Subscriber Certificate.<o:p></o:p></span></pre><pre style='margin-left:72.0pt;text-indent:-18.0pt;mso-list:l1 level1 lfo5;vertical-align:baseline'><![if !supportLists]><span lang=EN-US style='color:black'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='color:black'>Any security event records (as set forth in Section 5.4.1 (3)) after the event occurred. <o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>Delete from </span>“<span lang=EN-US>Network and Certificate Systems Security Requirements</span>”<span lang=EN-US>, Version 1.3,<o:p></o:p></span></pre><pre style='margin-bottom:10.0pt'><span lang=EN-US>Section 3.b<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.45pt'><span lang=EN-US>b. Identify those Certificate Systems under the control of CA or Delegated<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.45pt'><span lang=EN-US> Third Party Trusted Roles capable of monitoring and logging system activity<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.45pt'><span lang=EN-US> and enable those systems to continuously monitor and log system activity;<o:p></o:p></span></pre><pre><span lang=EN-US>Insert new </span>“<span lang=EN-US>Network and Certificate Systems Security Requirements</span>”<span lang=EN-US>, Version 1.3,<o:p></o:p></span></pre><pre><span lang=EN-US>Section 3.b with the following text:<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:36.0pt'><span lang=EN-US>b. Identify those Certificate Systems under the control of CA or Delegated<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:36.0pt'><span lang=EN-US> Third Party Trusted Roles capable of monitoring and logging system activity,<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:36.0pt'><span lang=EN-US> and enable those systems to log and continuously monitor the events specified<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:36.0pt'><span lang=EN-US> in Section 5.4.1 (3) of the Baseline Requirements for the Issuance and<o:p></o:p></span></pre><pre style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:36.0pt'><span lang=EN-US> Management of Publicly-Trusted Certificates;<o:p></o:p></span></pre><p style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:10.0pt;margin-left:0cm'><span lang=EN-US style='font-size:11.0pt;font-family:細明體;color:black'>*</span><span style='font-size:11.0pt;font-family:細明體;color:black'>—<span lang=EN-US> MOTION ENDS </span>—<span lang=EN-US>*</span></span><span lang=EN-US style='font-family:細明體'><o:p></o:p></span></p><div><pre><span lang=EN-US>Discussion (7+ days)<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>Start Time: 2020-07-10 17:00:00 UTC<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>End Time: 2020-08-28 17:00:00 UTC<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>Vote for approval (7 days)<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>Start Time : 2020-09-03 17:00:00 UTC<o:p></o:p></span></pre><pre><span lang=EN-US><o:p> </o:p></span></pre><pre><span lang=EN-US>End Time: 2020-09-10 17:00:00 UTC<o:p></o:p></span></pre></div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US><o:p> </o:p></span></p><pre><span lang=EN-US>_______________________________________________<o:p></o:p></span></pre><pre><span lang=EN-US>Servercert-wg mailing list<o:p></o:p></span></pre><pre><span lang=EN-US><a href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a><o:p></o:p></span></pre><pre><span lang=EN-US><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></span></pre></blockquote></div><!-- --><B><BR><BR><font size="-1">本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件.
如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
<BR>Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.</font></B>
</body></html>