[cabf_netsec] Discussion for sections 5.4 and 5.5 [Was: Meeting minutes for NetSec 2021-04-27]

Wed May 12 18:11:30 UTC 2021

I read the minutes of the netsec subcommittee and have some 
questions/comments regarding sections 5.4 and 5.5 of the BRs.

First of all, I believe it would be useful for members to refresh their 
recollection of RFC 3647 because it might resolve some of the confusion 
on this topic.

In RFC 3647, sections 5.4 and 5.5 are pretty much structured the same 
way. Here's the relevant structure:

5.4 Audit Logging Procedures
    ------------------------------------------------------
    5.4.1 *T**ypes of Events Recorded*
    ------------------------------------------------------
    5.4.2 Frequency of Processing Log
    ------------------------------------------------------
    5.4.3 *Retention Period for Audit Log*
    ------------------------------------------------------
    5.4.4 *Protection of Audit Log*
    ------------------------------------------------------
    5.4.5 *Audit Log Backup Procedures*
    ------------------------------------------------------
    5.4.6 Audit Collection System (Internal vs. External)
    ------------------------------------------------------
    5.4.7 Notification to Event-Causing Subject
    ------------------------------------------------------
    5.4.8 Vulnerability Assessments
    ------------------------------------------------------
    5.5 Records Archival
    ------------------------------------------------------
    5.5.1 *Types of Records Archived*
    ------------------------------------------------------
    5.5.2 *Retention Period for Archive*
    ------------------------------------------------------
    5.5.3 *Protection of Archive*
    ------------------------------------------------------
    5.5.4 *Archive Backup Procedures*
    ------------------------------------------------------
    5.5.5 Requirements for Time-Stamping of Records
    ------------------------------------------------------
    5.5.6 Archive Collection System (Internal or External)
    ------------------------------------------------------
    5.5.7 Procedures to Obtain and Verify Archive Information

In my understanding, section 5.4 focuses on "events", and guidance is 
provided in section 4.5.4 
<https://datatracker.ietf.org/doc/html/rfc3647#section-4.5.4> of the 
RFC. This includes events recorded that are related to certificate 
lifecycle operations. However, this is just for "events", which are 
actions captured/performed by systems and humans and are captured in 
databases, log files and other transactions.

It is clear to me that the intent of the authors of RFC 3647 is for a CA 
to include *policy *to set the *retention period* of these "Audit Logs" 
(documented in 5.4.3 of the CA's CP/CPS), *protection control**s* for 
these "Audit Logs" (so they cannot be tampered with and/or deleted), and 
*backup *controls so they cannot be recovered.

Section 5.5 focuses on "Records", and guidance is provided in section 
4.5.5 <https://datatracker.ietf.org/doc/html/rfc3647#section-4.5.5> of 
the RFC. That could be documentation supporting certificate 
applications, identity/organization evidence, ceremony scripts, audit 
reports, in general any supporting evidence that "is not an event"!

Similarly with the "events", a CA should set policy for the *retention 
period* of these "records" (documented in 5.5.2 of the CA's 
CP/CPS),*protection controls*, *backup *of these records, and so on.

As an example, think of a CA having a new subCA ceremony. This task 
includes both "events" being captured (key generation, issuance of the 
subCA certificate), and "records" being recorded (a ceremony script, 
paper logs where trusted role members sign-off, possibly configuration 
files).

I believe the "events" fall under section 5.4 and "records" fall under 
section 5.5. From a policy perspective, we have the flexibility to set 
different retention and protection for these two types but the safest 
approach would be to keep them aligned.

I would be in favor of the NetSec subcommittee:

 1. clarifying this interpretation of "what is an event" and "what is a
    record",
 2. populate 5.5.1 with the "categories" described in 5.4.1, and then
 3. carefully check which particular "tasks" make sense for 5.4.1 and 5.5.1
 4. update 5.4.3 and 5.5.2 to include language to describe either BOTH
    retention periods (some *events/records* may need to be retained for
    2 years and some for 7) OR agree on a 2 year-make-sense-for-all policy.

Finally, we should update the title of 5.4.2 to match RFC 3647.

Thoughts?
Dimitris.

On 11/5/2021 6:28 μ.μ., Neil Dunbar via Netsec wrote:
> All,
>
> These were actually sent out a while back, but for some reason didn't 
> make it to the list - apparently I was a non-member... I think I've 
> fixed list permissions, but hopefully this gets through now.
>
> Meeting minutes are attached below  - all comments gratefully received.
>
> Regards,
>
> Neil
>
>
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/netsec

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20210512/46dfd244/attachment.html>