<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>That would be best, yes.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>-Tim<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Clint Wilson <clintw@apple.com> <br><b>Sent:</b> Friday, February 11, 2022 1:56 PM<br><b>To:</b> Tim Hollebeek <tim.hollebeek@digicert.com><br><b>Cc:</b> ServerCert CA/BF <servercert-wg@cabforum.org><br><b>Subject:</b> Re: [Servercert-wg] Discussion Period Begins on Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks Tim (and others that helped correct me here)! I think I also can/should update to basing it off of v1.8.1 of the BRs now as well?<o:p></o:p></p><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Feb 11, 2022, at 10:13 AM, Tim Hollebeek <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Did you make changes to the version posted when the discussion period started? If so, then we need to post a new version of the ballot and restart the discussion period.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>-Tim<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><div><p class=MsoNormal><b>From:</b><span class=apple-converted-space> </span>Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org">servercert-wg-bounces@cabforum.org</a>><span class=apple-converted-space> </span><b>On Behalf Of<span class=apple-converted-space> </span></b>Clint Wilson via Servercert-wg<br><b>Sent:</b><span class=apple-converted-space> </span>Thursday, February 10, 2022 6:19 PM<br><b>To:</b><span class=apple-converted-space> </span>ServerCert CA/BF <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>><br><b>Subject:</b><span class=apple-converted-space> </span>Re: [Servercert-wg] Discussion Period Begins on Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements<o:p></o:p></p></div></div></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal>I’ve incorporated the feedback received thus far into <a href="https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...8398fb32ab21829b55ab4ca4f0cf9060ec44741a">https://github.com/cabforum/servercert/compare/cda0f92ee70121fd5d692685b97ebb6669c74fb7...8398fb32ab21829b55ab4ca4f0cf9060ec44741a</a> and plan to start the voting period for this ballot tomorrow. Please let me know if there are issues with this, or if there’s a preference for restarting a discussion period instead, and thanks to all for the input so far!<o:p></o:p></p></div><div><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><div><p class=MsoNormal>Cheers,<o:p></o:p></p></div></div><div><div><p class=MsoNormal>-Clint<o:p></o:p></p></div><div><div><p class=MsoNormal><br><br><br><o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal>On Jan 24, 2022, at 2:40 AM, Dimitris Zacharopoulos (HARICA) <<a href="mailto:dzacharo@harica.gr">dzacharo@harica.gr</a>> wrote:<o:p></o:p></p></div></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'> <o:p></o:p></p><div><div><p class=MsoNormal>On 21/1/2022 9:57 μ.μ., Clint Wilson wrote:<o:p></o:p></p></div></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal> <o:p></o:p></p></div><div><div><p class=MsoNormal><br><br><br><o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal>On Jan 20, 2022, at 2:54 AM, Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></p></div></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><div><div><p class=MsoNormal>Similarly with Aaron, I support the intent of this ballot but have similar concerns about the terms used in the ballot.<br><br>Back in May 2021, I sent<span class=apple-converted-space> </span><a href="https://lists.cabforum.org/pipermail/netsec/2021-May/000449.html">this message</a><span class=apple-converted-space> </span>to the NetSec Subcommittee referring to RFC 3647 for guidance on the use of the terms "audit log" and "records archival". In my understanding the authors of RFC 3647 were trying to capture two different sets of "evidence". Each set would need to define the "types of events recorded/types of records archived", the "retention period", the "protection" controls, and the "backup" controls.<o:p></o:p></p></div></div></div></blockquote><div><div><p class=MsoNormal>I agree that the authors of RFC 3647 intended for more detail to be included in a CPS around each of these sections than is currently in the BRs or added via the proposed changes in this ballot, however I don’t believe that RFC 3647 intends for 5.4 and 5.5 to represent two entirely different sets of “evidence”. For example, in section 4.5.4 (“Audit Logging Procedures”) it indicates that coverage should include “Frequency with which audit logs are processed or archived”. Similarly, in 4.5.5 (“Records Archival”) the RFC indicates that coverage should include “Types of records that are archived, for example all audit data….”. These references to archive and audits lead me to the interpretation that the authors of RFC 3647 intended for the records archival process to be an overarching collection and retention of audit data (i.e. everything logged in section 5.4) along with other data which may not be processed by event logging or audit systems (such as documentation supporting certificate applications). That is, as a Venn diagram, this is one circle inside another. This ballot attempts to clearly outline the end result of this relationship by delineating (and repeating, where relevant) the categories of data accounted for in both sections 5.4 and 5.5. Given Aaron’s feedback, I definitely think there’s room for improving<span class=apple-converted-space> </span><i>how</i> we outline that end result, however.<o:p></o:p></p></div></div><div><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><div><p class=MsoNormal>Of course, one could also imagine, in CA-specific scenarios and modernized validation/issuance processes, that all data processed by the CA goes through event logging systems, and therefore there would be no additional data beyond audit data present in the records archive. I don’t believe this ballot negatively impacts such a CA, but I would love to hear if there are perceived unintended implications from the proposed text which can be corrected.<o:p></o:p></p></div></div><div><div><p class=MsoNormal> <o:p></o:p></p></div></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal><br>I understand that RFC3647 has a different meaning in the term "archival" (used in the phrase "records archival") compared to this ballot.<o:p></o:p></p></div></div></div></blockquote><div><p class=MsoNormal>Are there differences that would be helpful to share here? FWIW, my understanding is that archival is, as noted in 4.5.5 of RFC 3647, “records retention” — that is, the continued possession and control of a collection of records, typically (but not necessarily) on a less frequently used storage medium. Perhaps this would be worth including as a newly defined term, if there’s general agreement that this represents what an archive is meant to be in the context of 5.5?<o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><br>The notion of retention is also included in 4.5.4 in the phrase "Period for which audit logs are kept" but I see your point.<br><br>I believe the interpretation that audit logs (described in section 5.4 of the BRs) are a subset of records archival (described in section 5.5) is fair and reasonable, and unless there are any objections, we should adopt it as such in the BRs by providing the necessary additional language. This will clarify the intent and expectations from CAs and auditors evaluating these requirements.<br><br>Dimitris.<o:p></o:p></p></div></div></div></blockquote></div></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>