[cabfpub] [EXTERNAL]Re: Ballot 190

[Ryan Sleevi]

On Mon, May 1, 2017 at 12:37 PM, Kirk Hall via Public <public at cabforum.org>
wrote:

> As Bruce said on our call last week, adding flags to our vetting system as
> to what type of vetting method was used in in on our roadmap - but right
> now, we can't know without opening each and every vetting file for each and
> every domain that was vetted over the past 39 months.  This was never an
> important piece of data in the past.


That's not exactly accurate. It was always an important detail, which is
why Section 5.4.1 calls out all the data to be retained in audit logs.

It sounds like your system does not have easily queried audit logs, which
would presumably cover it, as part of "All verification activities" - as
hopefully you're at least logging "We did activity X" and not just "We did
an activity". Perhaps I'm misunderstanding, but it also highlights an
unfortunate oversight for critical security functions, since a CA that is
thoughtful about security would consider very carefully to record
everything they need in the event of compromise and/or misissuance. Since
that is, of course, the purpose of audit logs.

However, understanding that it's on your "roadmap" is useful. Is it
unreasonable to expect that you would be able to, for new validation
activities and issuance, be able to accomplish this in three months? That
is, notwithstanding existing issuance or reuse, that any new validation
activities Entrust performs can maintain, within your vetting system, the
same degree of information required of your audit logging? If so, that
makes it quite easy to require that _new_ validations require that
information, which at least sets a hard upper-bound on when all of
Entrust's validation activities will be at the same level of many of your
CA peers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170501/c952c9bd/attachment-0003.html>