<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 2, 2024, 16:13 Clint Wilson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="line-break:after-white-space">Hi Martijn,<div><br></div><div>Thanks for sending this out for discussion. Just a few comments at this point:</div><div><br></div><div><ol><li>I’m not sure the wording "Router and firewall activities" is considered an unspecified term, and leaves the exact definition and scope up to the CA, however” is necessary or even really helpful. I think it would be clearer to introduce Section 5.4.1.1 with something like “Logging of router and firewall activities necessary to meet the requirements of Section 5.4.1, Subsection 3.6 MUST at a minimum include:”</li><ul><li>I’m not sold on the “Subsection” part, but I don’t recall if we have good semantics established for referencing the numbered paragraphs/sections under a Section heading.</li></ul></ol></div></div></blockquote></div></div><div dir="auto"><br></div><div dir="auto">I believe the most widely-used nomenclature would be "Paragraph".</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="line-break:after-white-space"><div><ol><li>I think the entire section including and under "Logging of router and firewall activities SHOULD NOT include:” should be removed. </li><ul><li>The first item listed seems overly broad (arguably, imo, even covering the “inbound and outbound” connections of the second item) and so making it a SHOULD NOT seems too strong a recommendation.</li><li>The second item seems counterintuitive and difficult to implement correctly+consistently. It could be read as something like “don’t log unless you know you’re being exploited”, which doesn’t sound like a recommendation we should be making (especially in the context of post-incident data analysis).</li><li>Neither of these recommendations seems necessary to accomplish the goals of additional clarity and specificity of what MUST be logged.</li></ul><li>The concluding sentence "CAs are encouraged to recommend additional MUST and SHOULD NOT requirements through an email to <a href="mailto:questions@cabforum.org" target="_blank" rel="noreferrer">questions@cabforum.org</a>, for future discussion within the appropriate Working Group.” stands out as I think it’s the only such “encouragement” in the BRs. I don’t think that makes it bad or that it should be removed, but I’m also not sure how valuable it is to the BRs as a policy. I admit that may be because I view this encouragement as fundamental to membership and participation in the CA/B Forum at all — every member, regardless of type, should feel welcome and encouraged to recommend changes to any of the CA/B Forum documents. But we don’t say that anywhere, so maybe this is a good start?</li></ol><div><br></div><div>Cheers!</div><div>-Clint</div><div><br><blockquote type="cite"><div>On Jan 29, 2024, at 10:30 AM, Martijn Katerbarg via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank" rel="noreferrer">servercert-wg@cabforum.org</a>> wrote:</div><br><div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><p><strong><span style="font-family:Calibri,sans-serif">Summary: </span></strong><u></u><u></u></p><p id="m_-1933021044847986049bkmrk-this-ballot-aims-to-">This ballot aims to clarify what data needs to be logged as part of the "Firewall and router activities" logging requirement in the Baseline Requirements<span lang="EN-US">.</span><u></u><u></u></p><p id="m_-1933021044847986049bkmrk-this-pull-request-pr">This ballot is proposed by Martijn Katerbarg (Sectigo) and endorsed by Daniel Jeffery (Fastly) and Ben Wilson (Mozilla).<u></u><u></u></p><p id="m_-1933021044847986049bkmrk-%E2%80%94-motion-begins-%E2%80%94">--- Motion Begins ---<u></u><u></u></p><p id="m_-1933021044847986049bkmrk-this-ballot-modifies">This ballot modifies the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" ("Baseline Reuqirements"), based on Version 2.0.2.<u></u><u></u></p><p id="m_-1933021044847986049bkmrk-modify-the-baseline-">MODIFY the Baseline Requirements as specified in the following Redline:<span> </span><a href="https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...807675c91c8500157b0ffd58ab3a40b0b17075e5" style="color:rgb(5,99,193);text-decoration:underline" target="_blank" rel="noreferrer">https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...807675c91c8500157b0ffd58ab3a40b0b17075e5</a><u></u><u></u></p><p id="m_-1933021044847986049bkmrk-----motion-ends----">--- Motion Ends ---<u></u><u></u></p><p id="m_-1933021044847986049bkmrk-this-ballot-proposes">This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:<u></u><u></u></p><p id="m_-1933021044847986049bkmrk-discussion-%2811%2B-days">Discussion (at least 7 days)<u></u><u></u></p><ol start="1" type="1" style="margin-bottom:0cm"><li style="margin-right:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri,sans-serif">Start time: 2024-01-2<span lang="SV">9</span><span> </span>1<span lang="SV">8</span>:<span lang="SV">3</span>0:00 UTC</li><li style="margin-right:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri,sans-serif">End time: not before 2024-02-05 1<span lang="EN-US">8</span>:<span lang="EN-US">3</span>0:00 UTC<u></u><u></u></li></ol><p id="m_-1933021044847986049bkmrk-vote-for-approval-%287">Vote for approval (7 days)<u></u><u></u></p><ol start="1" type="1" style="margin-bottom:0cm"><li style="margin-right:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri,sans-serif">Start time: TBD</li><li style="margin-right:0cm;margin-left:0cm;font-size:11pt;font-family:Calibri,sans-serif">End time: TBD</li></ol><p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"> </p></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline!important">_______________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline!important">Servercert-wg mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="mailto:Servercert-wg@cabforum.org" style="color:rgb(5,99,193);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="noreferrer">Servercert-wg@cabforum.org</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" style="color:rgb(5,99,193);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" rel="noreferrer">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a></div></blockquote></div><br></div></div>_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank" rel="noreferrer">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div></div></div>