[Servercert-wg] Ballot SC38v2 - Alignment of Record Archival

Neil Dunbar ndunbar at trustcorsystems.com
Wed Dec 30 16:55:53 UTC 2020 

Joel,

Since the BR stipulations only cover minima for record retention, I 
would have thought that no conflict is likely unless a government entity 
has a maximum record retention which is shorter than that required by 
the BRs. [For example, if the BRs require storage for 7 years or more, 
but a local regulation mandates that records must be expunged after 5 
years].

In that case, I suspect that section 9.16.3 of the BRs ("Severability") 
would come into play; that would require that the CA adheres to local 
law  but states in its CPS, in 9.16.3, what the local law is, why and 
how it overrides the BR stipulations; as well as informing the CA/B by 
posting to `questions at cabforum.org` of the legally required mandate to 
diverge from the BRs.

Others can comment more on this, but I think that we probably don't need 
specific language in the ballot to cover this, unless I misunderstand 
9.16.3.

Best,

Neil

On 30/12/2020 14:16, Kazin, Joel S wrote:
>
> Neil,
>
> I agree with the change. However, wouldn’t any legal hold override the 
> retention requirements of the BR? I’m uncertain if that condition has 
> to be called out in the BR. Thoughts?
>
> Regards,
>
> Joel Kazin
>
> *From:*Servercert-wg [mailto:servercert-wg-bounces at cabforum.org] *On 
> Behalf Of *Neil Dunbar via Servercert-wg
> *Sent:* Wednesday, December 30, 2020 5:46 AM
> *To:* servercert-wg at cabforum.org
> *Subject:* [Servercert-wg] Ballot SC38v2 - Alignment of Record Archival
>
> All,
>
> I'm heartbeating the discussion period since the holiday season has 
> got in the way of producing an improved text to address the issues 
> which Ryan, Paul and others have brought up. I didn't want to lose the 
> ballot because of the end of year gap.
>
> I do have a set of improvements which will be addressed at the next 
> NetSec meeting on 2021-01-05, so we can expect a new version of the 
> ballot shortly after that.
>
> The changes planned are to directly address the RA requirement as well 
> as the "suspicious activity database" and then to directly address the 
> retention of certificate request rejection/certificate revocation in 5.4.
>
> Thanks,
>
> Neil
>
> On 09/12/2020 10:37, Neil Dunbar via Servercert-wg wrote:
>
>     This begins the discussion period for Ballot SC38: Alignment of
>     Record Archival (which I circulated a little while ago).
>
>     The following ballot is proposed by Neil Dunbar of TrustCor
>     Systems and endorsed by David Kluge of Google Trust Services and
>     Ben Wilson of Mozilla.
>
>     Purpose of Ballot:
>
>     After the updated language included in SC28 Sections 5.4.3 and
>     5.5.2 (of the BRs) could be in conflict. Section 5.5.2 requires
>     all documentation relating to certificate requests and the
>     verification thereof, and all Certificates and revocation thereof
>     be retained for seven years after certificates cease to to be
>     valid. Section 5.4.3 requires all audit logs of Subscriber
>     Certificate lifecycle management event records be maintained for
>     two years after the revocation or expiration of the Subscriber
>     Certificate. These sections intersect at the retention
>     requirements for audit logs and archived records, as they relate
>     to subscriber certificate lifecycle events. The retention periods
>     are in conflict as to the length of retention.
>
>     The proposed changes seek to bring these two sections of the
>     “Baseline Requirements” into agreement and avoid confusion and
>     potential issues of noncompliance as they relate to retention
>     periods.
>
>     The NetSec discussion document for this ballot is attached as a
>     PDF to this email.
>
>     -- MOTION BEGINS --
>
>     Delete the following Section 5.5.2 Retention period for archive
>     from the “Baseline Requirements for the Issuance and Management of
>     Publicly-Trusted Certificates”, which currently reads as follows:
>
>     The CA SHALL retain all documentation relating to certificate

>     requests and the verification thereof, and all Certificates and
>     revocation thereof, for at least seven years after any Certificate
>     based on that documentation ceases to be valid.
>     Insert, as Section 5.5.2. Retention period for archive of the
>     “Baseline Requirements for the Issuance and Management of
>     Publicly-Trusted Certificates”, the following:
>
>     The CA SHALL retain all documentation relating to certificate
>     requests and the verification thereof, and all Certificates and
>     revocation thereof, for at least two years after any Certificate
>     based on that documentation ceases to be valid.
>
>     -- MOTION ENDS --
>
>     * WARNING *: USE AT YOUR OWN RISK. THE REDLINE BELOW IS NOT THE
>     OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
>
>     A comparison of the changes can be found at:
>     https://github.com/cabforum/documents/compare/8f63128...neildunbar:180341b
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_cabforum_documents_compare_8f63128...neildunbar-3A180341b&d=DwMDaQ&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=CpV9vPLOvjSDUMud4-dDJv1YybQzSFeOYguTNqxdo0M&m=EGxdM3w1z1THlvxCnCGXPnSGyHtM-EVwz9cq5C7KbyQ&s=DqQ0s5QBOn2ojvg8Fpf15VtRNda0RgQ92atulaj0fZE&e=>
>
>     This ballot proposes one Final Maintenance Guideline.
>
>     The procedure for approval of this ballot is as follows:
>
>     Discussion: (7+ days)
>     Start Time: 2020-12-09 17:00 UTC
>     End Time: not before 2020-12-16 17:00 UTC
>
>     Vote for approval: (7 days)
>     Start Time: TBD
>     End Time: TBD
>
>
>
>     _______________________________________________
>
>     Servercert-wg mailing list
>
>     Servercert-wg at cabforum.org  <mailto:Servercert-wg at cabforum.org>
>
>     https://lists.cabforum.org/mailman/listinfo/servercert-wg  <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_servercert-2Dwg&d=DwMDaQ&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=CpV9vPLOvjSDUMud4-dDJv1YybQzSFeOYguTNqxdo0M&m=EGxdM3w1z1THlvxCnCGXPnSGyHtM-EVwz9cq5C7KbyQ&s=wvuQC0JNDf13qB5PQekAwJ202u7ZgswoRkCRu5Z7-z4&e=>
>
> ------------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) 
> only, may contain information that is privileged, confidential and/or 
> proprietary and subject to important terms and conditions available at 
> http://www.bankofamerica.com/emaildisclaimer. If you are not the 
> intended recipient, please delete this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201230/69553c07/attachment.html>

More information about the Servercert-wg mailing list