[Cscwg-public] [EXTERNAL] Re: DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements
Ian McMillan
ianmcm at microsoft.com
Wed Sep 8 20:01:38 UTC 2021
Thanks Seb and Dimitris!
I am totally with Dimitris on this topic and I like the addition “note” Dimitris and Clint are putting into the BRs (so much so I am incorporating it). Please see that attached revise of the redline doc.
Thanks,
Ian
From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Cscwg-public
Sent: Thursday, September 2, 2021 6:52 AM
To: Sebastian Schulz <sebastian.schulz at globalsign.com>; cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] [EXTERNAL] Re: DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements
Hi Sebastian,
I'd like to share with the CSCWG a proposal I wrote after some collaboration with Clint Wilson from Apple. You may find the proposed changes to the BRs in https://github.com/dzacharo/servercert/pull/2/files<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdzacharo%2Fservercert%2Fpull%2F2%2Ffiles&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767719961422%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=RNOddurbyIhItjFVDityJT%2FyjHhK%2F%2F%2BI5YSApXI5oHA%3D&reserved=0>.
The fact that the retention period has a lower limit, nothing prevents a CA from keeping logs/archives for longer periods in order to investigate past security incidents. This is highlighted in a NOTE in the proposal above. Similarly the NetSec SCWG subcommittee is working on a draft in https://docs.google.com/document/d/1SCyrt8la1slPJhvnWUW6ROlqIV3yaDwb3LKZ5qjdiH4<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1SCyrt8la1slPJhvnWUW6ROlqIV3yaDwb3LKZ5qjdiH4&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767719971379%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Kfa9Oix82YtnVRSO8P75LlrEGScTedAzC%2FJvai3PMzg%3D&reserved=0>.
For the CA Certificates' retention period, which is proposed to be 2 years after the expiration/revocation/key deletion of the CA, IMHO the same principle applies. The CA must determine if it needs to keep logs for more time in order to perform proper retrospection related to a security incident AFTER a CA has been decommissioned.
Thanks,
Dimitris.
On 2/9/2021 1:35 μ.μ., Sebastian Schulz via Cscwg-public wrote:
Hey All, Hey Ian
What seems a little odd to me is that the requirements for the duration of log retention are the same for CA certificates as for subscriber certificates, given their wildly different original validity periods. I know the TLS BR handle it like that as well but come to think of it….isn’t the purpose of log retention to be able to identify possible errors in operation of a CA from the aftermath? Since CA certificate lifecycle operations are carried out at much lower frequency than those for subscriber certificates, I would have assumed that more logged time is needed to identify possible systemic errors (in contrast, 2 years retention for subscriber certificates with max 3 year validity almost seems long)
Just a thought that came to mind, maybe I just missed discussion around it. Or another discussion needs to be had, but not for this ballot then. When it comes to adding TS requirements and detaching it from TLS BR - looks good to me 😊
Best,
Seb
Sebastian Schulz
Product Manager Client Certificates
From: Cscwg-public <cscwg-public-bounces at cabforum.org><mailto:cscwg-public-bounces at cabforum.org> On Behalf Of Ian McMillan via Cscwg-public
Sent: 01 September 2021 17:00
To: Ian McMillan <ianmcm at microsoft.com><mailto:ianmcm at microsoft.com>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>; dzacharo at harica.gr<mailto:dzacharo at harica.gr>; Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>
Subject: Re: [Cscwg-public] [EXTERNAL] Re: DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements
Hi All,
Please review the attached updated redline with the removal of all references to the SSL/TLS BRs for section 15 on data records.
I’d like to note that Signing Services are included in the data records requirements but seem really out of place as they are responsible for subscriber key generation and protection as it is described in section 16.2, and not the management or creation of CA certificates. I could easily see us removing Sign Services from this section or authoring a new set of requirements for signing services as part of the refinement of the CSBRs for signing services.
Thanks,
Ian
From: Cscwg-public <cscwg-public-bounces at cabforum.org><mailto:cscwg-public-bounces at cabforum.org> On Behalf Of Ian McMillan via Cscwg-public
Sent: Wednesday, September 1, 2021 8:27 AM
To: dzacharo at harica.gr<mailto:dzacharo at harica.gr>; Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: Re: [Cscwg-public] [EXTERNAL] Re: DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements
Hi Bruce and Dimitris,
I like this idea and I’ll work on this update to share with the group before next week’s meeting.
Thanks,
Ian
Get Outlook for iOS<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767719981339%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=sdIfRYm9riGo3EinAEjzs2YCkhZsbjcI%2FErkRxgRFv4%3D&reserved=0>
________________________________
From: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr<mailto:dzacharo at harica.gr>>
Sent: Wednesday, September 1, 2021 8:16:03 AM
To: Bruce Morton <Bruce.Morton at entrust.com<mailto:Bruce.Morton at entrust.com>>; cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org> <cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>>; Ian McMillan <ianmcm at microsoft.com<mailto:ianmcm at microsoft.com>>
Subject: [EXTERNAL] Re: [Cscwg-public] DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements
On 26/8/2021 9:00 μ.μ., Bruce Morton via Cscwg-public wrote:
Hi Ian,
I am wondering if we could change the text, so we do not reference the SSL BRs. I’m saying this because:
1. CSBRs refer to SSL BR version 1.6.9, which was updated per SC27
2. CSBR section 15.2 would be easier to read
3. CSBR section 15.2 would be independent of the SSL BRs, which goes in the direction of our goal
Thanks, Bruce.
I agree with Bruce. We should try to incorporate text from the TLS BRs that makes sense for the CS BRs as much as we can and avoid references that have the risk of becoming broken or amended by the SCWG.
Thanks,
Dimitris.
From: Cscwg-public <cscwg-public-bounces at cabforum.org><mailto:cscwg-public-bounces at cabforum.org> On Behalf Of Ian McMillan via Cscwg-public
Sent: Thursday, August 26, 2021 12:29 PM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] [Cscwg-public] DISCUSS/ENDORSE: Ballot CSC-11: Update to log data retention requirements
WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Hi Folks,
I am looking for feedback and at least two endorsements on this new ballot I am proposing. Please share your feedback and if you are willing to endorse this ballot.
Ballot CSC-11: Update to log data retention requirements<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_11_-_update_to_log_data_retention_requirements__%3B!!FJ-Y8qCqXTj2!OxtP9iVwcvkR2NB3D6_-cStNUlZ0jiRsvQI7kzZGF3vX8NFDtimB6Te0-iBFuXDSLg0%24&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767719991296%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=2apKicY6AAJrNRYAmvy3ZpdreDDdft%2F77FnTR5YyQf4%3D&reserved=0>
Purpose of this ballot:
Update the log data and retention of log data requirements in the Baseline Requirement for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.5.
The following motion has been proposed by Ian McMillan of Microsoft, and I am looking for endorsements from two other members of the CSCWG.
— MOTION BEGINS —
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 2.5 according to the attached redline which including
Update section 15 “Data Records” to include sub-section 15.1 “Timestamp Authority Data Records”
Update section 15.1 to clarify 4(f) for security event logging on Timestamp Authority servers
Update section 15.1 on 4(d) for security event logging to no longer include “hardware failures”
Update section 15 “Data Records” to include sub-section 15.2 “Data Retention Period for Audit Logs”
Update section 15.2 to no longer reference Baseline Requirements section 5.4.3 and defined a specific retention period for CA, subscriber certificate, Timestamp Authority, and security event data records for at least 2 years
— MOTION ENDS —
Thanks,
Ian
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org<mailto:Cscwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/cscwg-public<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767720001248%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Kt%2BHiMNa%2F4GIsPfUfPDnqwGMNRVhr%2BAen4Wh%2FYPyKoI%3D&reserved=0>
_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org<mailto:Cscwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/cscwg-public<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cianmcm%40microsoft.com%7Cc945000f631842bfa31408d96dffaa93%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637661767720011203%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=0q59np1F%2BztHzC37FNqrfbYCg4rRSyH2RX7aQL8QSFM%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210908/3eda70c1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Baseline Requirements for the Issuance and Management of Code Signing.v2.5+CSC-11_DataRetention.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 95394 bytes
Desc: Baseline Requirements for the Issuance and Management of Code Signing.v2.5+CSC-11_DataRetention.docx
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210908/3eda70c1/attachment-0001.docx>
More information about the Cscwg-public
mailing list