<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:-apple-system;
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.gmailsignatureprefix
{mso-style-name:gmail_signature_prefix;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=en-SE link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>Hi Daniel,<br><br>Thank you for your comments. I agree. With that, my existing proposal hopefully is a first step towards this. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>I’m also contemplating if, long term, all logging requirements should instead be included in the NSRs, rather than the BRs. But, as the NSWG is already working on a set of changes, I can imagine this is not something that will (or should) happen soon. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>Regards,<br><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Daniel Jeffery <djeffery@fastly.com><br><b>Date: </b>Friday, 15 September 2023 at 00:38<br><b>To: </b>Martijn Katerbarg <martijn.katerbarg@sectigo.com>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Subject: </b>Re: [Servercert-wg] Proposal to update logging requirements<o:p></o:p></span></p></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><div><p class=MsoNormal><span style='font-size:11.0pt'>Hello Martijn and CA/B,<br><br>I like where we're going with this and wholeheartedly agree with the desire to not obscure useful logging with excessive volume of useless logs. <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt'><br>In that vein, I'm curious what uses people have for logging all blocked traffic on an internet facing firewall. To me it seems the signal to noise ratio is so bad that keeping all the logs of dropped packets on an external interface is unproductive. The only times I can really see using this is with some highly-tuned NIDS or in a retrospective to look at patterns prior to breach. <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt'>Logging all blocked firewall traffic behind the firewall, between security zones, on the other hand, should be very useful.<br><br>Dan<o:p></o:p></span></p></div></div></div><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><div><p class=MsoNormal><span style='font-size:11.0pt'>On Wed, 13 Sept 2023 at 03:00, Martijn Katerbarg via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=SV style='font-size:11.0pt'>Hi all,</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=SV style='font-size:11.0pt'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>During our last WebTrust audit cycle it became clear that our interpretation of “Firewall and router activities” and CPA Canada’s interpretation were meaningfully different. In particular it came to light that in its most aggressive possible interpretation, the actual logging of a firewall activity would itself constitute a firewall activity, which would itself require logging, as would the log of the log entry of that log entry, the log of this newest log entry, and etcetera into infinity. </span><span lang=EN-US style='font-size:11.0pt'>In our opinion, too</span><span style='font-size:11.0pt'> much “valid traffic” logging, makes it harder to find “bad traffic”</span><span lang=EN-US style='font-size:11.0pt'>.</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>We offer a simple rewrite to reflect the difference between valuable and necessary logged information and unproductive (and potentially absurd) logging. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#212121'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#212121'>Similarly, several Certificate Consumers have expressed the wish to move away from OCSP, while, depending on interpretation of the language, CAs that do support OCSP may need to log every GET/POST request for OCSP responses, and keep this data for at least 2 years.</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#212121'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#212121'>The requirement for CAs to monitor OCSP requests is the product of a different time, when thinking around OCSP was very different. As privacy concerns and other structural weaknesses move the community away from its position on OCSP, it no longer makes sense to include requirements for CAs to watch and record OCSP requests.</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#212121'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#212121'>Ballot SC-063 v4 </span><span lang=EN-US style='font-size:11.0pt;color:#212121'>made</span><span style='font-size:11.0pt;color:#212121'> it optional for CAs to provide OCSP at all. (We recognize that there is still a root program requirement that pragmatically prevents CAs from eliminating OCSP, but within the scope of CABF requirements this is a critical change.) For the BRs to strongly recommend (via this SHOULD requirement) monitoring OCSP is incongruous and out of keeping with current thinking.</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#212121'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#212121'>Even if we did want such monitoring to take place, any such requirement would present serious and perhaps insurmountable technical challenges:</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#212121'>For a typical OCSP responder that is only aware of unexpired certificates, it's impossible to tell the difference between an "unused" serial number and the serial number of an expired certificate. To disambiguate would require the ongoing cross-referencing of OCSP responder logs against the CA's cert issuance logs, requiring additional code development and maintenance and significant production overhead.</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#212121'>Furthermore, as most OCSP services are fronted by CDNs, there's no guarantee that the CA will even have access to the full OCSP request logs. If the CA can't enumerate all the IP addresses of OCSP clients that send requests for "unused" serial numbers, then this vastly diminishes whatever value we attribute to this monitoring requirement. </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;color:#212121'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#212121'>Our proposed changes are available for review on <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C31a47dc398d0476ac50e08dbb5734bb0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638303279098088737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LZr2ZtQfD0M5AKZ%2Foupv4eo2FU7rxkRbMWn2NibBK0Q%3D&reserved=0" target="_blank">https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:LoggingRequirements</a></span><span lang=EN-US style='font-size:11.0pt'>.</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt'>With this email I’m hoping to receive feedback and thoughts on this proposal.<br><br>Regards,<br><br>Martijn</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt'>Sectigo</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p></div></div><p class=MsoNormal><span style='font-size:11.0pt'>_______________________________________________<br>Servercert-wg mailing list<br><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C31a47dc398d0476ac50e08dbb5734bb0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638303279098088737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aWZXQGeysW82cRTxlLIpdO%2FMfC32UY4v%2FmFpoDmCbRA%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></span></p></div></blockquote></div><p class=MsoNormal><span style='font-size:11.0pt'><br clear=all><o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p></div><p class=MsoNormal><span class=gmailsignatureprefix><span style='font-size:11.0pt'>-- </span></span><span style='font-size:11.0pt'><o:p></o:p></span></p><div><div><p style='mso-margin-top-alt:7.5pt;margin-right:0cm;margin-bottom:0cm;margin-left:0cm'><span style='font-size:10.5pt;font-family:-apple-system;color:#172B4D;border:solid windowtext 1.0pt;padding:0cm'><img border=0 width=32 height=32 style='width:.3333in;height:.3333in' id="_x0000_i1025" src="cid:~WRD0000.jpg" alt="Image removed by sender."></span><span style='font-size:10.5pt;font-family:-apple-system;color:#172B4D'><o:p></o:p></span></p><div><div><div><p class=MsoNormal><strong><span style='font-size:10.5pt;font-family:-apple-system;color:#172B4D'>Daniel Jeffery</span></strong><span style='font-size:10.5pt;font-family:-apple-system;color:#172B4D'> | TLS<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:-apple-system;color:#172B4D'><a href="https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffastly.com%2F&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C31a47dc398d0476ac50e08dbb5734bb0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638303279098088737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3yxpJfrXbNEDYVpJ182hxB%2Bo1iQDqo1%2F3VNgyXts2a8%3D&reserved=0" target="_blank"><span style='color:#3B73AF'>fastly.com</span></a> | <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Ffastly&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C31a47dc398d0476ac50e08dbb5734bb0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638303279098088737%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=TShxdnsGkEwmE87iyHBRzwwOi1hQqt6Gil9fcYd0MDM%3D&reserved=0" target="_blank"><span style='color:#3B73AF'>@fastly</span></a> | <a href="https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Ffastly&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7C31a47dc398d0476ac50e08dbb5734bb0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638303279098244940%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=LkUexauGqikAkEEmsSS8fuJ7bTKyQvV5SLSBo5AFNbo%3D&reserved=0" target="_blank"><span style='color:#3B73AF'>LinkedIn</span></a><o:p></o:p></span></p></div></div></div></div></div></div></div></div></div></body></html>