<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Joel,</p>
<p>Since the BR stipulations only cover minima for record retention,
I would have thought that no conflict is likely unless a
government entity has a maximum record retention which is shorter
than that required by the BRs. [For example, if the BRs require
storage for 7 years or more, but a local regulation mandates that
records must be expunged after 5 years].</p>
<p>In that case, I suspect that section 9.16.3 of the BRs
("Severability") would come into play; that would require that the
CA adheres to local law but states in its CPS, in 9.16.3, what
the local law is, why and how it overrides the BR stipulations; as
well as informing the CA/B by posting to `<a class="moz-txt-link-abbreviated" href="mailto:questions@cabforum.org">questions@cabforum.org</a>`
of the legally required mandate to diverge from the BRs.</p>
<p>Others can comment more on this, but I think that we probably
don't need specific language in the ballot to cover this, unless I
misunderstand 9.16.3.</p>
<p>Best,</p>
<p>Neil<br>
</p>
<div class="moz-cite-prefix">On 30/12/2020 14:16, Kazin, Joel S
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5f239708b7544e0fbc570daa8645c9a7@bofa.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;}span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Neil,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
agree with the change. However, wouldn’t any legal hold
override the retention requirements of the BR? I’m uncertain
if that condition has to be called out in the BR. Thoughts?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Joel
Kazin
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><a name="_____replyseparator"
moz-do-not-send="true"></a><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Servercert-wg
[<a class="moz-txt-link-freetext" href="mailto:servercert-wg-bounces@cabforum.org">mailto:servercert-wg-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Neil Dunbar via Servercert-wg<br>
<b>Sent:</b> Wednesday, December 30, 2020 5:46 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a><br>
<b>Subject:</b> [Servercert-wg] Ballot SC38v2 -
Alignment of Record Archival<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>All,<o:p></o:p></p>
<p>I'm heartbeating the discussion period since the holiday
season has got in the way of producing an improved text to
address the issues which Ryan, Paul and others have brought
up. I didn't want to lose the ballot because of the end of
year gap.<o:p></o:p></p>
<p>I do have a set of improvements which will be addressed at
the next NetSec meeting on 2021-01-05, so we can expect a new
version of the ballot shortly after that.<o:p></o:p></p>
<p>The changes planned are to directly address the RA
requirement as well as the "suspicious activity database" and
then to directly address the retention of certificate request
rejection/certificate revocation in 5.4.<o:p></o:p></p>
<p>Thanks,<o:p></o:p></p>
<p>Neil<o:p></o:p></p>
<div>
<p class="MsoNormal">On 09/12/2020 10:37, Neil Dunbar via
Servercert-wg wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">This begins the discussion period for
Ballot SC38: Alignment of Record Archival (which I
circulated a little while ago).
<br>
<br>
The following ballot is proposed by Neil Dunbar of TrustCor
Systems and endorsed by David Kluge of Google Trust Services
and Ben Wilson of Mozilla.
<br>
<br>
Purpose of Ballot: <br>
<br>
After the updated language included in SC28 Sections 5.4.3
and 5.5.2 (of the BRs) could be in conflict. Section 5.5.2
requires all documentation relating to certificate requests
and the verification thereof, and all Certificates and
revocation thereof be retained for seven years after
certificates cease to to be valid. Section 5.4.3 requires
all audit logs of Subscriber Certificate lifecycle
management event records be maintained for two years after
the revocation or expiration of the Subscriber Certificate.
These sections intersect at the retention requirements for
audit logs and archived records, as they relate to
subscriber certificate lifecycle events. The retention
periods are in conflict as to the length of retention.
<br>
<br>
The proposed changes seek to bring these two sections of the
“Baseline Requirements” into agreement and avoid confusion
and potential issues of noncompliance as they relate to
retention periods.
<br>
<br>
The NetSec discussion document for this ballot is attached
as a PDF to this email.
<br>
<br>
-- MOTION BEGINS -- <br>
<br>
Delete the following Section 5.5.2 Retention period for
archive from the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates”, which
currently reads as follows:
<br>
<br>
The CA SHALL retain all documentation relating to
certificate requests and the verification thereof, and all
Certificates and revocation thereof, for at least seven
years after any Certificate based on that documentation
ceases to be valid.
<br>
Insert, as Section 5.5.2. Retention period for archive of
the “Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates”, the following:
<br>
<br>
The CA SHALL retain all documentation relating to
certificate requests and the verification thereof, and all
Certificates and revocation thereof, for at least two years
after any Certificate based on that documentation ceases to
be valid.
<br>
<br>
-- MOTION ENDS -- <br>
<br>
* WARNING *: USE AT YOUR OWN RISK. THE REDLINE BELOW IS NOT
THE OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section
2.4(a)):
<br>
<br>
A comparison of the changes can be found at: <a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_documents_compare_8f63128...neildunbar-3A180341b&d=DwMDaQ&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=CpV9vPLOvjSDUMud4-dDJv1YybQzSFeOYguTNqxdo0M&m=EGxdM3w1z1THlvxCnCGXPnSGyHtM-EVwz9cq5C7KbyQ&s=DqQ0s5QBOn2ojvg8Fpf15VtRNda0RgQ92atulaj0fZE&e="
moz-do-not-send="true">
https://github.com/cabforum/documents/compare/8f63128...neildunbar:180341b</a><br>
<br>
This ballot proposes one Final Maintenance Guideline. <br>
<br>
The procedure for approval of this ballot is as follows: <br>
<br>
Discussion: (7+ days) <br>
Start Time: 2020-12-09 17:00 UTC <br>
End Time: not before 2020-12-16 17:00 UTC <br>
<br>
Vote for approval: (7 days) <br>
Start Time: TBD <br>
End Time: TBD <br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Servercert-wg mailing list<o:p></o:p></pre>
<pre><a href="mailto:Servercert-wg@cabforum.org" moz-do-not-send="true">Servercert-wg@cabforum.org</a><o:p></o:p></pre>
<pre><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwMDaQ&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=CpV9vPLOvjSDUMud4-dDJv1YybQzSFeOYguTNqxdo0M&m=EGxdM3w1z1THlvxCnCGXPnSGyHtM-EVwz9cq5C7KbyQ&s=wvuQC0JNDf13qB5PQekAwJ202u7ZgswoRkCRu5Z7-z4&e=" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></pre>
</blockquote>
</div>
<hr>This message, and any attachments, is for the intended
recipient(s) only, may contain information that is privileged,
confidential and/or proprietary and subject to important terms and
conditions available at
<a class="moz-txt-link-freetext" href="http://www.bankofamerica.com/emaildisclaimer">http://www.bankofamerica.com/emaildisclaimer</a>. If you are not the
intended recipient, please delete this message.<br>
</blockquote>
</body>
</html>