[Servercert-wg] [EXTERNAL] Ballot SC38 - Alignment of Record Archival

Paul van Brouwershaven Paul.vanBrouwershaven at entrust.com
Wed Dec 16 09:31:55 UTC 2020


Is it possible that we try to align sections 5.4 and 5.5 with RFC 3647 to avoid confusion?

Where 5.4 is intended to record the audit log, as in who, what, when, and where (but without the actual content).
https://www.rfc-editor.org/rfc/rfc3647.html#section-4.5.4

The introduction of BR section 5.4.1 currently states: "including all information generated and documentation received in connection with the certificate request", which should fall under section 5.5 according to RFC 3647.

Section 5.5.1 of the BR currently has no clear definition of what needs to be archived and leans on 5.5.2 which conflicts with 5.4.3 based on the description of 5.4.1.

We might also want to consider including audit records, CRL's, CP/CPS documents, etc. under 5.5.1.

Paul
________________________________
From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Neil Dunbar via Servercert-wg <servercert-wg at cabforum.org>
Sent: Wednesday, December 9, 2020 11:37
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL][Servercert-wg] Ballot SC38 - Alignment of Record Archival

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

This begins the discussion period for Ballot SC38: Alignment of Record
Archival (which I circulated a little while ago).

The following ballot is proposed by Neil Dunbar of TrustCor Systems and
endorsed by David Kluge of Google Trust Services and Ben Wilson of Mozilla.

Purpose of Ballot:

After the updated language included in SC28 Sections 5.4.3 and 5.5.2 (of
the BRs) could be in conflict. Section 5.5.2 requires all documentation
relating to certificate requests and the verification thereof, and all
Certificates and revocation thereof be retained for seven years after
certificates cease to to be valid. Section 5.4.3 requires all audit logs
of Subscriber Certificate lifecycle management event records be
maintained for two years after the revocation or expiration of the
Subscriber Certificate. These sections intersect at the retention
requirements for audit logs and archived records, as they relate to
subscriber certificate lifecycle events. The retention periods are in
conflict as to the length of retention.

The proposed changes seek to bring these two sections of the “Baseline
Requirements” into agreement and avoid confusion and potential issues of
noncompliance as they relate to retention periods.

The NetSec discussion document for this ballot is attached as a PDF to
this email.

-- MOTION BEGINS --

Delete the following Section 5.5.2 Retention period for archive from the
“Baseline Requirements for the Issuance and Management of
Publicly-Trusted Certificates”, which currently reads as follows:

The CA SHALL retain all documentation relating to certificate requests
and the verification thereof, and all Certificates and revocation
thereof, for at least seven years after any Certificate based on that
documentation ceases to be valid.
Insert, as Section 5.5.2. Retention period for archive of the “Baseline
Requirements for the Issuance and Management of Publicly-Trusted
Certificates”, the following:

The CA SHALL retain all documentation relating to certificate requests
and the verification thereof, and all Certificates and revocation
thereof, for at least two years after any Certificate based on that
documentation ceases to be valid.

-- MOTION ENDS --

* WARNING *: USE AT YOUR OWN RISK. THE REDLINE BELOW IS NOT THE OFFICIAL
VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):

A comparison of the changes can be found at:
https://github.com/cabforum/documents/compare/8f63128...neildunbar:180341b

This ballot proposes one Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion: (7+ days)
Start Time: 2020-12-09 17:00 UTC
End Time: not before 2020-12-16 17:00 UTC

Vote for approval: (7 days)
Start Time: TBD
End Time: TBD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201216/4c3488ee/attachment.html>


More information about the Servercert-wg mailing list