[Servercert-wg] Ballot SC38v2 - Alignment of Record Archival

Neil Dunbar ndunbar at trustcorsystems.com
Wed Dec 30 10:45:42 UTC 2020


All,

I'm heartbeating the discussion period since the holiday season has got 
in the way of producing an improved text to address the issues which 
Ryan, Paul and others have brought up. I didn't want to lose the ballot 
because of the end of year gap.

I do have a set of improvements which will be addressed at the next 
NetSec meeting on 2021-01-05, so we can expect a new version of the 
ballot shortly after that.

The changes planned are to directly address the RA requirement as well 
as the "suspicious activity database" and then to directly address the 
retention of certificate request rejection/certificate revocation in 5.4.

Thanks,

Neil

On 09/12/2020 10:37, Neil Dunbar via Servercert-wg wrote:
> This begins the discussion period for Ballot SC38: Alignment of Record 
> Archival (which I circulated a little while ago).
>
> The following ballot is proposed by Neil Dunbar of TrustCor Systems 
> and endorsed by David Kluge of Google Trust Services and Ben Wilson of 
> Mozilla.
>
> Purpose of Ballot:
>
> After the updated language included in SC28 Sections 5.4.3 and 5.5.2 
> (of the BRs) could be in conflict. Section 5.5.2 requires all 
> documentation relating to certificate requests and the verification 
> thereof, and all Certificates and revocation thereof be retained for 
> seven years after certificates cease to to be valid. Section 5.4.3 
> requires all audit logs of Subscriber Certificate lifecycle management 
> event records be maintained for two years after the revocation or 
> expiration of the Subscriber Certificate. These sections intersect at 
> the retention requirements for audit logs and archived records, as 
> they relate to subscriber certificate lifecycle events. The retention 
> periods are in conflict as to the length of retention.
>
> The proposed changes seek to bring these two sections of the “Baseline 
> Requirements” into agreement and avoid confusion and potential issues 
> of noncompliance as they relate to retention periods.
>
> The NetSec discussion document for this ballot is attached as a PDF to 
> this email.
>
> -- MOTION BEGINS --
>
> Delete the following Section 5.5.2 Retention period for archive from 
> the “Baseline Requirements for the Issuance and Management of 
> Publicly-Trusted Certificates”, which currently reads as follows:
>
> The CA SHALL retain all documentation relating to certificate requests 
> and the verification thereof, and all Certificates and revocation 
> thereof, for at least seven years after any Certificate based on that 
> documentation ceases to be valid.
> Insert, as Section 5.5.2. Retention period for archive of the 
> “Baseline Requirements for the Issuance and Management of 
> Publicly-Trusted Certificates”, the following:
>
> The CA SHALL retain all documentation relating to certificate requests 
> and the verification thereof, and all Certificates and revocation 
> thereof, for at least two years after any Certificate based on that 
> documentation ceases to be valid.
>
> -- MOTION ENDS --
>
> * WARNING *: USE AT YOUR OWN RISK. THE REDLINE BELOW IS NOT THE 
> OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
>
> A comparison of the changes can be found at: 
> https://github.com/cabforum/documents/compare/8f63128...neildunbar:180341b
>
> This ballot proposes one Final Maintenance Guideline.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion: (7+ days)
> Start Time: 2020-12-09 17:00 UTC
> End Time: not before 2020-12-16 17:00 UTC
>
> Vote for approval: (7 days)
> Start Time: TBD
> End Time: TBD
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201230/f354eab1/attachment.html>


More information about the Servercert-wg mailing list