<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Without agreeing with some parts of the justification around OCSP, I
support the proposed changes and I believe they capture a fair
meaning of Firewall and router "activities".<br>
<br>
I assume that the original authors couldn't decide on a minimum list
of specific events that should be kept by CAs regarding firewalls
and routers. For example, a router's CPU usage is a router activity,
and some CAs monitor and produce graphs of CPU usage, just like they
do for servers. However, there is no explicit requirement to capture
the CPU usage for Certificate Systems, therefore listing explicit
events that should be kept for firewalls and routers is very useful.<br>
<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<br>
<div class="moz-cite-prefix">On 13/9/2023 12:00 μ.μ., Martijn
Katerbarg via Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100018a8dc55b93-7468d86b-5a00-452f-a1a7-34d0cb61106a-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style>
<div class="WordSection1">
<p class="MsoNormal"><span lang="SV">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="SV"><o:p> </o:p></span></p>
<p class="MsoNormal">During our last WebTrust audit cycle it
became clear that our interpretation of “Firewall and router
activities” and CPA Canada’s interpretation were meaningfully
different. In particular it came to light that in its most
aggressive possible interpretation, the actual logging of a
firewall activity would itself constitute a firewall activity,
which would itself require logging, as would the log of the
log entry of that log entry, the log of this newest log entry,
and etcetera into infinity. <span lang="EN-US">In our
opinion, too</span> much “valid traffic” logging, makes it
harder to find “bad traffic”<span lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We offer a simple rewrite to reflect the
difference between valuable and necessary logged information
and unproductive (and potentially absurd) logging. <span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US">Similarly, several Certificate Consumers have
expressed the wish to move away from OCSP, while, depending
on interpretation of the language, CAs that do support OCSP
may need to log every GET/POST request for OCSP responses,
and keep this data for at least 2 years.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">The
requirement for CAs to monitor OCSP requests is the product
of a different time, when thinking around OCSP was very
different. As privacy concerns and other structural
weaknesses move the community away from its position on
OCSP, it no longer makes sense to include requirements for
CAs to watch and record OCSP requests.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">Ballot
SC-063 v4 </span><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US">made</span><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"> it
optional for CAs to provide OCSP at all. (We recognize that
there is still a root program requirement that pragmatically
prevents CAs from eliminating OCSP, but within the scope of
CABF requirements this is a critical change.) For the BRs
to strongly recommend (via this SHOULD requirement)
monitoring OCSP is incongruous and out of keeping with
current thinking.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">Even
if we did want such monitoring to take place, any such
requirement would present serious and perhaps insurmountable
technical challenges:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">For
a typical OCSP responder that is only aware of unexpired
certificates, it's impossible to tell the difference between
an "unused" serial number and the serial number of an
expired certificate. To disambiguate would require the
ongoing cross-referencing of OCSP responder logs against the
CA's cert issuance logs, requiring additional code
development and maintenance and significant production
overhead.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB">Furthermore,
as most OCSP services are fronted by CDNs, there's no
guarantee that the CA will even have access to the full OCSP
request logs. If the CA can't enumerate all the IP addresses
of OCSP clients that send requests for "unused" serial
numbers, then this vastly diminishes whatever value we
attribute to this monitoring requirement. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US">Our proposed changes are available for review
on <a
href="https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:LoggingRequirements"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:LoggingRequirements</a></span><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US">.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US">With this email I’m hoping to receive feedback
and thoughts on this proposal.<br>
<br>
Regards,<br>
<br>
Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="mso-ligatures:none;mso-fareast-language:EN-GB"
lang="EN-US">Sectigo</span><span
style="color:#212121;mso-ligatures:none;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>