<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Similarly with Aaron, I support the intent of this ballot but have
similar concerns about the terms used in the ballot.<br>
<br>
Back in May 2021, I sent <a moz-do-not-send="true"
href="https://lists.cabforum.org/pipermail/netsec/2021-May/000449.html">this
message</a> to the NetSec Subcommittee referring to RFC 3647 for
guidance on the use of the terms "audit log" and "records archival".
In my understanding the authors of RFC 3647 were trying to capture
two different sets of "evidence". Each set would need to define the
"types of events recorded/types of records archived", the "retention
period", the "protection" controls, and the "backup" controls.<br>
<br>
I understand that RFC3647 has a different meaning in the term
"archival" (used in the phrase "records archival") compared to this
ballot. <br>
<br>
Based on 3647, sections 5.4 and 5.5 are complementary and
symmetrical. With that said, it appears that 5.5.2 repeats what is
already required in 5.4.3 (1.), (2.) and (3.). I'm fine with
repeating important text but I'm concerned that this might cause
some confusion. We should probably clarify these terms a little
better.<br>
<br>
I would also like to propose that a NOTE is added at the end of
sections 5.4.3 and 5.5.2:<br>
<br>
In 5.4.3:<br>
<br>
"<strong>Note:</strong> While these Requirements set the minimum
retention period, the CA MAY choose a greater value as more
appropriate in order to be able to investigate possible security or
other types of incidents that will require retrospection and
examination of past audit log events."<br>
<br>
In 5.5.2:<br>
<br>
"<strong>Note:</strong> While these Requirements set the minimum
retention period, the CA MAY choose a greater value as more
appropriate in order to be able to investigate possible security or
other types of incidents that will require retrospection and
examination of past records archived."<br>
<br>
I would even recommend changing the MAY into a SHOULD if others
agree.<br>
<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 19/1/2022 10:50 μ.μ., Aaron Gable
via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017e741ace42-9196afd8-edfa-4255-b426-50ada5261943-000000@email.amazonses.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>I fully support the intent of this ballot, but upon close
reading I have some slight concern.</div>
<div><br>
</div>
Although this ballot brings the definitions from the NCSSRs
directly into the BRs, those definitions do not include a
definition of the words "retain" or "archive". This causes me
some confusion.
<div><br>
</div>
<div>My reading of the structure of this ballot is essentially:</div>
<div>1) A CA must record events X, Y, Z to an audit log<br>
2) A CA must retain those audit logs for 2 years after A, B, C<br>
3) A CA must archive records X, Y, Z, W, V<br>
4) A CA must retain archives for 2 years after A, B, C<br>
</div>
<div><br>
</div>
<div>With no functional definition of the word "archive", it is
unclear what the purpose of having both of these sections at
all is. With the exception of the additional numbered items
5.2.2.(4) and 5.2.2.(5), the two sections appear to be
essentially identical. A CA which stores all required records
on a single hard drive appears to be equally in compliance
with both sections. So why have both sections at all?</div>
<div><br>
</div>
<div>Additionally, I find the phrasing of Section 5.5.1 to be
unfortunate: it contains two sentences, both of which start
"The CA and each Delegated Third Party SHALL archive records
related to...". These should be combined into a single
bulleted list, much as Section 5.5.2 does.</div>
<div><br>
</div>
<div>Aaron</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jan 13, 2022 at 11:02
AM Clint Wilson via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">This
email begins the discussion period for Ballot SC51: </span><font
face="Menlo-Regular" color="#000000"><span
style="font-size:11px">Reduce and Clarify Audit Log and
Records Archival Retention Requirements</span></font><br
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">
<br
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">
<font face="Menlo-Regular" color="#000000"><span
style="font-size:11px">BALLOT SC51: Reduce and Clarify
Audit Log and Records Archival Retention Requirements</span></font><br
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">
<br
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">PURPOSE
OF BALLOT</span><br
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">
<font face="Menlo-Regular" color="#000000"><span
style="font-size:11px"><br>
The purpose of this ballot is to consolidate and clarify
aspects of audit log and records archival retention
expectations and time-periods within 5.5.2.</span></font>
<div><font face="Menlo-Regular" color="#000000"><span
style="font-size:11px"><br>
Foremost, this ballot reduces retention periods for
records archival to 2 years.<br>
Further, currently audit log events as outlined in
section 5.4.1, and then referenced in 5.4.3 lead to
confusion around the log retention that is defined and
exclusive to each section, and how that retention
feeds into records archival requirements. To further
clarify the objectives of that interaction, an
explicit requirement has been introduced in
5.5.1 stating that CAs must archive lifecycle event
records.<br>
<br>
As minor adjustments to related requirements, this
ballot also clarifies what is expected by the term
“OCSP Entries” as a logged lifecycle event; as
OCSP Entry is an undefined term, this was replaced
with OCSP Response such that it should be clear that a
CA will be logging the event of signing an
OCSP Response (including the elements stipulated in
5.4.1). Similarly, some certificate lifecycle events
expected to be retained are currently separated into
5.5.2; these have been incorporated into
5.4.1 instead. This ballot also explicitly calls out
the need for delegated third parties to abide by the
established retention periods for audit logging and
records archival procedures.</span></font>
<div><font face="Menlo-Regular" color="#000000"><span
style="font-size:11px">This ballot also formalizes
incorporation of terms defined in the NCSSRs as also
applying to the BRs.</span></font></div>
<div>
<div style="color:rgb(0,0,0)"><font face="Menlo-Regular"
color="#000000"><span style="font-size:11px"><br>
</span></font></div>
<div style="color:rgb(0,0,0)"><font face="Menlo-Regular"
color="#000000"><span style="font-size:11px">MOTION</span></font></div>
<div><br
style="font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">The
following motion has been proposed by Clint Wilson
of Apple and endorsed by Trevoli Ponds-White of
Amazon and Dustin Hollenback of Microsoft.</span><br
style="font-family:Menlo-Regular;font-size:11px">
<br style="font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">-----Motion
Begins-----</span><br
style="font-family:Menlo-Regular;font-size:11px">
<br style="font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">This
ballot modifies the “Baseline Requirements for the
Issuance and Management of Publicly-Trusted
Certificates” as defined in the following redline,
based on Version 1.8.0:</span><br
style="font-family:Menlo-Regular;font-size:11px">
<br style="font-family:Menlo-Regular;font-size:11px">
<font face="Menlo-Regular" color="#000000"><span
style="font-size:11px"><a
href="https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...63dc6210e728349bb4602e4ede051efed593a91c"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...63dc6210e728349bb4602e4ede051efed593a91c</a></span></font></div>
<div><font color="#000000"><span><br
style="font-family:Menlo-Regular;font-size:11px">
</span></font><span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">-----Motion
Ends-----</span><br
style="font-family:Menlo-Regular;font-size:11px">
<br style="font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">This
ballot proposes a Final Maintenance Guideline. The
procedure for approval of this ballot is as follows:</span><br
style="font-family:Menlo-Regular;font-size:11px">
<br style="font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">Discussion
(7+ days)</span><br
style="font-family:Menlo-Regular;font-size:11px">
<br style="font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">Start
Time: January 13 2022 19:00 UTC</span><br
style="font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">End
Time: January 20 2022 19:00 UTC</span><br
style="font-family:Menlo-Regular;font-size:11px">
<br style="font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">Vote
for approval (7 days)</span><br
style="font-family:Menlo-Regular;font-size:11px">
<br style="font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">Start
Time: TBD</span><br
style="font-family:Menlo-Regular;font-size:11px">
<span
style="color:rgb(0,0,0);font-family:Menlo-Regular;font-size:11px">End
Time: TBD</span></div>
</div>
</div>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>