[Cscwg-public] Ballot CSC-11: Update to log data retention requirements

[Ian McMillan]

Ballot CSC-11: Update to log data retention requirements<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fwiki.cabforum.org*2Fcscwg*2Fcsc_11_-_update_to_log_data_retention_requirements__*3B!!FJ-Y8qCqXTj2!OxtP9iVwcvkR2NB3D6_-cStNUlZ0jiRsvQI7kzZGF3vX8NFDtimB6Te0-iBFuXDSLg0*24%26data%3D04*7C01*7Cianmcm*40microsoft.com*7Ce3bd2ae0dce4468183c108d9737ae5b0*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637667794999582131*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000%26sdata%3DBJidr4YnWniggGmazUxO4cTwAuX0iHteFREqsQRzkoE*3D%26reserved%3D0__%3BJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!FJ-Y8qCqXTj2!NWv1K7HGvAxUABiMxdfaCMe3GpkaaPtdGr0fmyfxRX1KGs0uZ0T8Jv4ZKzUoZrd49aU%24&data=04%7C01%7Cianmcm%40microsoft.com%7C93ef7c1155364e0a528808d979e12301%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637674830448662646%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ORvn1khvw%2Fm2c0n%2Bto0ykvcyw1wA3j4g4vIsBxC7zgA%3D&reserved=0>

Purpose of this ballot:
Update the log data and retention of log data requirements in the Baseline Requirement for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.5. The following motion has been proposed by Ian McMillan of Microsoft, and I am looking for endorsements from two other members of the CSCWG.

- MOTION BEGINS -

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 2.5 according to the attached redline which includes:


  *   Update section 15 “Data Records” removing references to [SSL/TLS] Baseline Requirements for this section in totality
  *   Update section 15 “Data Records” to include sub-section 15.1 “Types of Events Recorded” and describing the requirements for CAs and Third Party Delegates while removing “Signing Services”
  *   Update section 15 “Data Records” to include sub-section 15.2 “Timestamp Authority Data Records”
  *   Update section 15.1 to clarify 4(f) for security event logging on Timestamp Authority servers
  *   Update section 15.1 on 4(d) for security event logging to no longer include “hardware failures”
  *   Update section 15 “Data Records” to include sub-section 15.3 “Data Retention Period for Audit Logs”
  *   Update section 15.2 to no longer reference Baseline Requirements section 5.4.3 and defined a specific retention period for CA, subscriber certificate, Timestamp Authority, and security event data records for at least 2 years

- MOTION ENDS -

The procedure for approval of this ballot is as follows:

Discussion (7 days)
Start Time: 2021-09-17, 19:00 Eastern Time (US)
End Time: not before 2021-09-24, 19:00 Eastern Time (US)

Vote for approval (7 days)
Start Time: 2021-09-24, 19:00 Eastern Time (US)
End Time: 2021-10-01, 19:00 Eastern Time (US)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210917/608a5957/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Baseline Requirements for the Issuance and Management of Code Signing.v2.5+CSC-11_v2_redline.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 94961 bytes
Desc: Baseline Requirements for the Issuance and Management of Code Signing.v2.5+CSC-11_v2_redline.docx
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210917/608a5957/attachment-0001.docx>