[cabf_netsec] Discussion for sections 5.4 and 5.5 [Was: Meeting minutes for NetSec 2021-04-27]
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Wed May 12 18:11:30 UTC 2021
I read the minutes of the netsec subcommittee and have some
questions/comments regarding sections 5.4 and 5.5 of the BRs.
First of all, I believe it would be useful for members to refresh their
recollection of RFC 3647 because it might resolve some of the confusion
on this topic.
In RFC 3647, sections 5.4 and 5.5 are pretty much structured the same
way. Here's the relevant structure:
5.4 Audit Logging Procedures
------------------------------------------------------
5.4.1 *T**ypes of Events Recorded*
------------------------------------------------------
5.4.2 Frequency of Processing Log
------------------------------------------------------
5.4.3 *Retention Period for Audit Log*
------------------------------------------------------
5.4.4 *Protection of Audit Log*
------------------------------------------------------
5.4.5 *Audit Log Backup Procedures*
------------------------------------------------------
5.4.6 Audit Collection System (Internal vs. External)
------------------------------------------------------
5.4.7 Notification to Event-Causing Subject
------------------------------------------------------
5.4.8 Vulnerability Assessments
------------------------------------------------------
5.5 Records Archival
------------------------------------------------------
5.5.1 *Types of Records Archived*
------------------------------------------------------
5.5.2 *Retention Period for Archive*
------------------------------------------------------
5.5.3 *Protection of Archive*
------------------------------------------------------
5.5.4 *Archive Backup Procedures*
------------------------------------------------------
5.5.5 Requirements for Time-Stamping of Records
------------------------------------------------------
5.5.6 Archive Collection System (Internal or External)
------------------------------------------------------
5.5.7 Procedures to Obtain and Verify Archive Information
In my understanding, section 5.4 focuses on "events", and guidance is
provided in section 4.5.4
<https://datatracker.ietf.org/doc/html/rfc3647#section-4.5.4> of the
RFC. This includes events recorded that are related to certificate
lifecycle operations. However, this is just for "events", which are
actions captured/performed by systems and humans and are captured in
databases, log files and other transactions.
It is clear to me that the intent of the authors of RFC 3647 is for a CA
to include *policy *to set the *retention period* of these "Audit Logs"
(documented in 5.4.3 of the CA's CP/CPS), *protection control**s* for
these "Audit Logs" (so they cannot be tampered with and/or deleted), and
*backup *controls so they cannot be recovered.
Section 5.5 focuses on "Records", and guidance is provided in section
4.5.5 <https://datatracker.ietf.org/doc/html/rfc3647#section-4.5.5> of
the RFC. That could be documentation supporting certificate
applications, identity/organization evidence, ceremony scripts, audit
reports, in general any supporting evidence that "is not an event"!
Similarly with the "events", a CA should set policy for the *retention
period* of these "records" (documented in 5.5.2 of the CA's
CP/CPS),*protection controls*, *backup *of these records, and so on.
As an example, think of a CA having a new subCA ceremony. This task
includes both "events" being captured (key generation, issuance of the
subCA certificate), and "records" being recorded (a ceremony script,
paper logs where trusted role members sign-off, possibly configuration
files).
I believe the "events" fall under section 5.4 and "records" fall under
section 5.5. From a policy perspective, we have the flexibility to set
different retention and protection for these two types but the safest
approach would be to keep them aligned.
I would be in favor of the NetSec subcommittee:
1. clarifying this interpretation of "what is an event" and "what is a
record",
2. populate 5.5.1 with the "categories" described in 5.4.1, and then
3. carefully check which particular "tasks" make sense for 5.4.1 and 5.5.1
4. update 5.4.3 and 5.5.2 to include language to describe either BOTH
retention periods (some *events/records* may need to be retained for
2 years and some for 7) OR agree on a 2 year-make-sense-for-all policy.
Finally, we should update the title of 5.4.2 to match RFC 3647.
Thoughts?
Dimitris.
On 11/5/2021 6:28 μ.μ., Neil Dunbar via Netsec wrote:
> All,
>
> These were actually sent out a while back, but for some reason didn't
> make it to the list - apparently I was a non-member... I think I've
> fixed list permissions, but hopefully this gets through now.
>
> Meeting minutes are attached below - all comments gratefully received.
>
> Regards,
>
> Neil
>
>
> _______________________________________________
> Netsec mailing list
> Netsec at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/netsec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20210512/46dfd244/attachment.html>
More information about the Netsec
mailing list