<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=en-SE link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Hi Tobias,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>I can only share our side of the discussion, as done in the first email I sent out. However the logging of all OCSP requests was certainly part of this. Other than that, the discussion was more in general around what it may entail without going into specific points on what should or should not be included. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>If CABF members want to bring forward specific items or ideas they believe should be covered in here, on top of the proposed changes, then lets have a discussion on that and see how detailed we can get!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>As indeed you have brought forward an idea: Yes I think having logins (and unsuccessful login attempts) logged, would indeed be useful. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Are there any other items that you would like to see reflected?<br><br></span><span lang=SV style='font-size:11.0pt;mso-fareast-language:EN-US'>Regards,<br><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Tobias S. Josefowitz <tobij@opera.com><br><b>Date: </b>Wednesday, 20 September 2023 at 16:52<br><b>To: </b>Martijn Katerbarg <martijn.katerbarg@sectigo.com>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Subject: </b>Re: [Servercert-wg] Proposal to update logging requirements<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<br><br><br>Hi Martijn,<br><br>On Wed, 20 Sep 2023, Martijn Katerbarg wrote:<br><br>> The discussion we had was around the amount of log events and details<br>> required in accordance with the BRs. This in essence, it boiled down to<br>> the interpretation of the word "activities". Yes, routing a packet is a<br>> router activity. So, must it be logged? Depending on the interpretation<br>> that one may have, it may have to be logged, because it's a router<br>> activity, and router activities must be logged, right? In our eyes<br>> however, this is not a reasonable interpretation of the requirement.<br><br>Thank you! I can certainly agree that, without any context, a hypothetical<br>requirement "Record all firewall and router activities." will easily lead<br>to nonsensical results depending on the definition/interpretation of<br>activities. I can also agree that, even with the context of 5.4.1, it may<br>not necesarily be very clear what the interpretation should be.<br><br>I was just hoping that getting a brief insight into the point of<br>discussion that you had come up might be helpful in delineating more where<br>the line should be, and then how to express it in 5.4.1.<br><br>The changes in<br><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cea8ee5d9f7204b5ad18b08dbb9e94534%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638308183770731321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YfALPRS%2FmiDqkQAsgon%2BJA18INtaj3HDLFZP5y3um3k%3D&reserved=0">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cea8ee5d9f7204b5ad18b08dbb9e94534%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638308183770731321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YfALPRS%2FmiDqkQAsgon%2BJA18INtaj3HDLFZP5y3um3k%3D&reserved=0</a><br>however look like they are falling a bit short. There are many more types<br>of "activities" that I would think should be encompassed by 5.4.1, too<br>many to give a list. But to single one out just to illustrate my point, I<br>think that logins to the router's/firewall's management interface are a<br>kind of "activity" that would be very useful to have covered by 5.4.1.<br><br>If you could provide any insight into how differing interpretations are<br>clashing in practice, it would help me a lot, and I would really<br>appreciate it.<br><br>Tobi<o:p></o:p></span></p></div></div></div></div></body></html>