[Cscwg-public] [EXTERNAL] Re: DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements

Ian McMillan ianmcm at microsoft.com
Wed Sep 1 12:26:24 UTC 2021

Hi Bruce and Dimitris,

I like this idea and I¡¯ll work on this update to share with the group before next week¡¯s meeting.


Get Outlook for iOS<https://aka.ms/o0ukef>
From: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Sent: Wednesday, September 1, 2021 8:16:03 AM
To: Bruce Morton <Bruce.Morton at entrust.com>; cscwg-public at cabforum.org <cscwg-public at cabforum.org>; Ian McMillan <ianmcm at microsoft.com>
Subject: [EXTERNAL] Re: [Cscwg-public] DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements

On 26/8/2021 9:00 ¦Ì.¦Ì., Bruce Morton via Cscwg-public wrote:

Hi Ian,

I am wondering if we could change the text, so we do not reference the SSL BRs. I¡¯m saying this because:

  *   CSBRs refer to SSL BR version 1.6.9, which was updated per SC27
  *   CSBR section 15.2 would be easier to read
  *   CSBR section 15.2 would be independent of the SSL BRs, which goes in the direction of our goal

Thanks, Bruce.

I agree with Bruce. We should try to incorporate text from the TLS BRs that makes sense for the CS BRs as much as we can and avoid references that have the risk of becoming broken or amended by the SCWG.


From: Cscwg-public <cscwg-public-bounces at cabforum.org><mailto:cscwg-public-bounces at cabforum.org> On Behalf Of Ian McMillan via Cscwg-public
Sent: Thursday, August 26, 2021 12:29 PM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] [Cscwg-public] DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.


Hi Folks,

I am looking for feedback and at least two endorsements on this new ballot I am proposing. Please share your feedback and if you are willing to endorse this ballot.

Ballot CSC-11: Update to log data retention requirements<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_11_-_update_to_log_data_retention_requirements__%3B!!FJ-Y8qCqXTj2!OxtP9iVwcvkR2NB3D6_-cStNUlZ0jiRsvQI7kzZGF3vX8NFDtimB6Te0-iBFuXDSLg0%24&data=04%7C01%7Cianmcm%40microsoft.com%7C8fc9d0797c7f492d1f9d08d96d424abc%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637660954250705139%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hBcU9%2Fz2hbi6CeYK3dlV9FvnoTGCdFui19VI5Pi5OZA%3D&reserved=0>

Purpose of this ballot:

Update the log data and retention of log data requirements in the Baseline Requirement for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.5.

The following motion has been proposed by Ian McMillan of Microsoft, and I am looking for endorsements from two other members of the CSCWG.


This ballot updates the ¡°Baseline Requirements for the Issuance and Management of Publicly©\Trusted Code Signing Certificates¡° version 2.5 according to the attached redline which including

-        Update section 15 ¡°Data Records¡± to include sub-section 15.1 ¡°Timestamp Authority Data Records¡±

-        Update section 15.1 to clarify 4(f) for security event logging on Timestamp Authority servers

-        Update section 15.1 on 4(d) for security event logging to no longer include ¡°hardware failures¡±

-        Update section 15 ¡°Data Records¡± to include sub-section 15.2 ¡°Data Retention Period for Audit Logs¡±

-        Update section 15.2 to no longer reference Baseline Requirements section 5.4.3 and defined a specific retention period for CA, subscriber certificate, Timestamp Authority, and security event data records for at least 2 years




Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

Cscwg-public mailing list
Cscwg-public at cabforum.org<mailto:Cscwg-public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210901/e773520c/attachment-0001.html>

More information about the Cscwg-public mailing list