<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.gmailsignatureprefix
{mso-style-name:gmail_signature_prefix;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=en-SE link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;mso-fareast-language:EN-US'>Thank you Jeffery. <br><br>Still looking for an additional endorser and/or comments.<br><br>Regards,<br><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:12.0pt;font-family:"Aptos",sans-serif;color:black'>From: </span></b><span style='font-size:12.0pt;font-family:"Aptos",sans-serif;color:black'>Daniel Jeffery <djeffery@fastly.com><br><b>Date: </b>Wednesday, 3 January 2024 at 22:01<br><b>To: </b>Martijn Katerbarg <martijn.katerbarg@sectigo.com>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Cc: </b>Tobias S. Josefowitz <tobij@opera.com><br><b>Subject: </b>Re: [Servercert-wg] Proposal to update logging requirements<o:p></o:p></span></p></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><div><p class=MsoNormal><span style='font-size:11.0pt'>The changes look good and this clearer set of requirements feels like a worthwhile improvement to us at Certainly. We'd be willing to endorse it in the current form. <o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><div><p class=MsoNormal><span style='font-size:11.0pt'>On Wed, 3 Jan 2024 at 03:45, Martijn Katerbarg via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<o:p></o:p></span></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt'>All,</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#212121'>I’ve made a few changes based on discussions that were held a few weeks ago. This includes adding a new section (5.4.1.1) containing a MUST and SHOULD NOT log list.</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#212121'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#212121'>The updated proposal can be reviewed at <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C0f729b13830645e969bb08dc0c9f1ab3%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638399124713596240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OGg9gBW8dHbeVLOGvLslihZNqK5fRaM6bGMS0i%2FPzQo%3D&reserved=0" target="_blank">https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:LoggingRequirements</a></span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#212121'> </span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US style='font-size:11.0pt;color:#212121'>Looking for more feedback on this, or, depending on how much discussion there is, for any endorsers. <br><br>Regards,<br><br>Martijn</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> <o:p></o:p></span></p><div id="m_6740583052454196364mail-editor-reference-message-container"><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><b><span style='font-size:12.0pt;font-family:"Aptos",sans-serif;color:black'>From: </span></b><span style='font-size:12.0pt;font-family:"Aptos",sans-serif;color:black'>Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>> on behalf of Martijn Katerbarg via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Date: </b>Friday, 22 September 2023 at 09:36<br><b>To: </b>Tobias S. Josefowitz <<a href="mailto:tobij@opera.com" target="_blank">tobij@opera.com</a>>, CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Subject: </b>Re: [Servercert-wg] Proposal to update logging requirements</span><span style='font-size:11.0pt'><o:p></o:p></span></p></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:12.0pt;background:#FAFA03'><span style='font-size:11.0pt;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.</span><span style='font-size:11.0pt'><o:p></o:p></span></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> <o:p></o:p></span></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>Hi Tobias,<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>I can only share our side of the discussion, as done in the first email I sent out. However the logging of all OCSP requests was certainly part of this. Other than that, the discussion was more in general around what it may entail without going into specific points on what should or should not be included. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>If CABF members want to bring forward specific items or ideas they believe should be covered in here, on top of the proposed changes, then lets have a discussion on that and see how detailed we can get!<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>As indeed you have brought forward an idea: Yes I think having logins (and unsuccessful login attempts) logged, would indeed be useful. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>Are there any other items that you would like to see reflected?<br><br></span><span lang=SV style='font-size:11.0pt'>Regards,<br><br>Martijn</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'> <o:p></o:p></span></p><div id="m_6740583052454196364mail-editor-reference-message-container"><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><b><span style='font-size:12.0pt;color:black'>From: </span></b><span style='font-size:12.0pt;color:black'>Tobias S. Josefowitz <<a href="mailto:tobij@opera.com" target="_blank">tobij@opera.com</a>><br><b>Date: </b>Wednesday, 20 September 2023 at 16:52<br><b>To: </b>Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com" target="_blank">martijn.katerbarg@sectigo.com</a>>, CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Subject: </b>Re: [Servercert-wg] Proposal to update logging requirements</span><span style='font-size:11.0pt'><o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<br><br><br>Hi Martijn,<br><br>On Wed, 20 Sep 2023, Martijn Katerbarg wrote:<br><br>> The discussion we had was around the amount of log events and details<br>> required in accordance with the BRs. This in essence, it boiled down to<br>> the interpretation of the word "activities". Yes, routing a packet is a<br>> router activity. So, must it be logged? Depending on the interpretation<br>> that one may have, it may have to be logged, because it's a router<br>> activity, and router activities must be logged, right? In our eyes<br>> however, this is not a reasonable interpretation of the requirement.<br><br>Thank you! I can certainly agree that, without any context, a hypothetical<br>requirement "Record all firewall and router activities." will easily lead<br>to nonsensical results depending on the definition/interpretation of<br>activities. I can also agree that, even with the context of 5.4.1, it may<br>not necesarily be very clear what the interpretation should be.<br><br>I was just hoping that getting a brief insight into the point of<br>discussion that you had come up might be helpful in delineating more where<br>the line should be, and then how to express it in 5.4.1.<br><br>The changes in<br><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C0f729b13830645e969bb08dc0c9f1ab3%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638399124713596240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OGg9gBW8dHbeVLOGvLslihZNqK5fRaM6bGMS0i%2FPzQo%3D&reserved=0" target="_blank">https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cea8ee5d9f7204b5ad18b08dbb9e94534%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638308183770731321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YfALPRS%2FmiDqkQAsgon%2BJA18INtaj3HDLFZP5y3um3k%3D&reserved=0</a><br>however look like they are falling a bit short. There are many more types<br>of "activities" that I would think should be encompassed by 5.4.1, too<br>many to give a list. But to single one out just to illustrate my point, I<br>think that logins to the router's/firewall's management interface are a<br>kind of "activity" that would be very useful to have covered by 5.4.1.<br><br>If you could provide any insight into how differing interpretations are<br>clashing in practice, it would help me a lot, and I would really<br>appreciate it.<br><br>Tobi<o:p></o:p></span></p></div></div></div></div></div></div></div></div><p class=MsoNormal><span style='font-size:11.0pt'>_______________________________________________<br>Servercert-wg mailing list<br><a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br><a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fservercert-wg&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C0f729b13830645e969bb08dc0c9f1ab3%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638399124713596240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jew9%2FaKsIrx4mj1MNvdU0AzQy7075zVHxaGcjxYlYjo%3D&reserved=0" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><o:p></o:p></span></p></div></blockquote></div><p class=MsoNormal><span style='font-size:11.0pt'><br clear=all><o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p></div><p class=MsoNormal><span class=gmailsignatureprefix><span style='font-size:11.0pt'>-- </span></span><span style='font-size:11.0pt'><o:p></o:p></span></p><div><div><p style='mso-margin-top-alt:7.5pt;margin-right:0cm;margin-bottom:0cm;margin-left:0cm'><span style='font-size:10.5pt;color:#172B4D;border:solid windowtext 1.0pt;padding:0cm'><img border=0 width=32 height=32 style='width:.3333in;height:.3333in' id="_x0000_i1025" src="cid:~WRD0000.jpg" alt="Image removed by sender."></span><span style='font-size:10.5pt;color:#172B4D'><o:p></o:p></span></p><div><div><div><p class=MsoNormal><strong><span style='font-size:10.5pt;font-family:"Calibri",sans-serif;color:#172B4D'>Daniel Jeffery</span></strong><span style='font-size:10.5pt;color:#172B4D'> | TLS<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;color:#172B4D'><a href="https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffastly.com%2F&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C0f729b13830645e969bb08dc0c9f1ab3%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638399124713596240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XGRMHHO8VmeBKSEGBFAKsV%2FSt%2BMITiky6uu0u0yquiU%3D&reserved=0" target="_blank"><span style='color:#3B73AF'>fastly.com</span></a> | <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Ffastly&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C0f729b13830645e969bb08dc0c9f1ab3%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638399124713596240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VJLqBzVck%2F0vwcu2nd4pNbPBWU3mqGkgQx9CKawbIx8%3D&reserved=0" target="_blank"><span style='color:#3B73AF'>@fastly</span></a> | <a href="https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Ffastly&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C0f729b13830645e969bb08dc0c9f1ab3%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638399124713596240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Mt%2B6Lp%2FPyWdfsQVJtCZTl1drhy9iP4uaDGoUgvjrEY8%3D&reserved=0" target="_blank"><span style='color:#3B73AF'>LinkedIn</span></a><o:p></o:p></span></p></div></div></div></div></div></div></div></div></div></body></html>