[Cscwg-public] [EXTERNAL] Voting Begins: Ballot CSC-11: Update to log data retention

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Sep 28 15:42:48 UTC 2021

Hi Bruce,

According to the Bylaws section 2.3 (3), it is possible for the 
discussion period to be more than 7 days so the *proposer* of the ballot 
must explicitly start the voting period which is for exactly 7 days. I 
don't think Ian started the voting period.

/"Once no new version of the ballot has been posted for seven (7) 
calendar days, *the proposer may end the discussion period and start the 
voting period* by *reposting the final version of the ballot* and 
clearly i*ndicating that voting is to begin*, along with the start and 
end dates and times (including time zone) for the voting period"/

Also, Ian's original email had a link to the wiki, which is not publicly 
available (thus not acceptable according to the Bylaws), but the redline 
that was attached met the requirements. This redline needs to be re-sent 
when Ian starts the voting period.

I am highlighting this for future ballots so that if there is only a 
pointer to a redline hosted at an external site, the link must be 
pointing to a public and immutable redline.

Sorry for reporting this but it's best to do this right than having 
challenges in the future.


On 27/9/2021 3:11 μ.μ., Bruce Morton via Cscwg-public wrote:
> Entrust votes Yes to ballot CSC-11.
> Bruce.
> *From:*Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of 
> *Ian McMillan via Cscwg-public
> *Sent:* Friday, September 24, 2021 7:01 PM
> *To:* cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] [Cscwg-public] Voting Begins: Ballot CSC-11: 
> Update to log data retention
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know 
> the content is safe.
> ------------------------------------------------------------------------
> *Ballot CSC-11: Update to log data retention requirements 
> <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fnam06.safelinks.protection.outlook.com*2F*3Furl*3Dhttps*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fwiki.cabforum.org*2Fcscwg*2Fcsc_11_-_update_to_log_data_retention_requirements__*3B!!FJ-Y8qCqXTj2!OxtP9iVwcvkR2NB3D6_-cStNUlZ0jiRsvQI7kzZGF3vX8NFDtimB6Te0-iBFuXDSLg0*24*26data*3D04*7C01*7Cianmcm*40microsoft.com*7Ce3bd2ae0dce4468183c108d9737ae5b0*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637667794999582131*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000*26sdata*3DBJidr4YnWniggGmazUxO4cTwAuX0iHteFREqsQRzkoE*3D*26reserved*3D0__*3BJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!FJ-Y8qCqXTj2!NWv1K7HGvAxUABiMxdfaCMe3GpkaaPtdGr0fmyfxRX1KGs0uZ0T8Jv4ZKzUoZrd49aU*24&data=04*7C01*7Cianmcm*40microsoft.com*7C01e89b1c05da47fcdfba08d97a2f1984*7C72f988bf86f141af91ab2d7cd011db47*7C0*7C0*7C637675165228324176*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=dKwimRLyToP*2FcULHIYvxeB*2FMitrVOoTRe5ql7h4qZrA*3D&reserved=0__;JSUlJSUlJSUlJSoqKioqKioqKioqJSUqKioqKioqKioqKiolJSolJSUlJSUlJSUlJSUlJSUlJSUl!!FJ-Y8qCqXTj2!ITKna9KcfXc7HkRFu1gX_Sx3mUCs01wd3i8d3YDOWczknOMX4XiG3L1IFtkcvO3ZVyU$>*
> Purpose of this ballot:
> Update the log data and retention of log data requirements in the 
> Baseline Requirement for the Issuance and Management of 
> Publicly-Trusted Code Signing Certificates v2.5. The following motion 
> has been proposed by Ian McMillan of Microsoft, and endorsed by 
> Dimitris Zacharopoulos (HARICA) and Bruce Morton (Entrust).
> This ballot updates the “Baseline Requirements for the Issuance and 
> Management of Publicly‐Trusted Code Signing Certificates“ version 2.5 
> according to the attached redline which includes:
>   * Update section 15 “Data Records” removing references to [SSL/TLS]
>     Baseline Requirements for this section in totality
>   * Update section 15 “Data Records” to include sub-section 15.1
>     “Types of Events Recorded” and describing the requirements for CAs
>     and Third Party Delegates while removing “Signing Services”
>   * Update section 15 “Data Records” to include sub-section 15.2
>     “Timestamp Authority Data Records”
>   * Update section 15.1 to clarify 4(f) for security event logging on
>     Timestamp Authority servers
>   * Update section 15.1 on 4(d) for security event logging to no
>     longer include “hardware failures”
>   * Update section 15 “Data Records” to include sub-section 15.3 “Data
>     Retention Period for Audit Logs”
>   * Update section 15.2 to no longer reference Baseline Requirements
>     section 5.4.3 and defined a specific retention period for CA,
>     subscriber certificate, Timestamp Authority, and security event
>     data records for at least 2 years
> The procedure for approval of this ballot is as follows:
> Discussion (7 days)
> Start Time: 2021-09-17, 19:00 Eastern Time (US)
> End Time: not before 2021-09-24, 19:00 Eastern Time (US)
> Vote for approval (7 days)
> Start Time: 2021-09-24, 19:00 Eastern Time (US)
> End Time: 2021-10-01, 19:00 Eastern Time (US)
> /Any email and files/attachments transmitted with it are confidential 
> and are intended solely for the use of the individual or entity to 
> whom they are addressed. If this message has been sent to you in 
> error, you must not copy, distribute or disclose of the information it 
> contains. _Please notify Entrust immediately_ and delete the message 
> from your system./
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210928/3ea275f4/attachment.html>

More information about the Cscwg-public mailing list