[Servercert-wg] Ballot SC28v3: Logging and Log Retention

Neil Dunbar ndunbar at trustcorsystems.com
Thu Jul 9 03:00:19 MST 2020


That redline URL is incorrect (although it is correct in the previously
attached discussion document): it should read:

https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad

Regards,

Neil

On 09/07/2020 09:11, Neil Dunbar via Servercert-wg wrote:
>
> This is an update to the original SC28 (to make it version 3), with
> some text which addresses an issue highlighted by Malcolm Doody.
>
> The amended discussion document is attached to this email.
> Principal changes:
> 1) Moving text to make clearer =the scope of CA key/certificate event retention
> Updated redline: https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:c98c5ad
>
> Purpose of Ballot:
>
> The proposed changes seek to clarify the relationship between audit
> logging obligations under Network and Certification System Security
> Requirements and Baseline Requirements and to reduce the retention
> period for log data, when appropriate. The proposed change also provides
> clarification by specifically cross-referencing the Baseline Requirements.
>
> The current log retention requirements for subscriber certificates
> require certificate validation and certificate activity to be retained
> for seven years, while the lifetime of a certificate is only two years.
> There does not seem to be a justification for retaining logs three times
> as long as the lifetime of the certificate. As certificate lifetimes
> move to one year this further supports a reduction in log retention;
> this ballot proposes a sorting of the logged events into logical
> categories, together with a requirement of CAs to retain the data for
> two years after the event has passed (as opposed to the blanket seven
> years which exists as a duty currently).
>
> The benefit of this ballot is to reduce data retention requirements for
> those log elements which most CAs consider as having limited long-term
> value. As an example, firewall and router activity logs are of
> significant size and thus impose significant storage requirements. These
> logs serve a benefit when investigating a potential security event,
> however, these logs lose value with the passage of time. Logs containing
> firewall traffic that is several years old provide little value in the
> investigation of a contemporary incident. Additionally, certificate
> validation and issuance logs have little value after a certificate has
> expired. The log size for many CAs is measured in terabytes, each year
> and the overhead of storing these logs and monitoring for compliance is
> significant. The benefit for reducing retention is considered high.
>
> The dicussion document which forms the basis of the ballot is attached
> as a PDF to this email - previous attempts to link to the Google Drive
> document ran up against permission problems in the past.
>
> Proposal
>
> The following ballot is proposed by Neil Dunbar of TrustCor Systems and
> endorsed by Trevoli Ponds-White of Amazon and Dustin Hollenback of
> Microsoft.
>
> *— MOTION BEGINS —*
>
> Delete the following Section 5.4.1. from the “Baseline Requirements for
> the Issuance and Management of Publicly-Trusted Certificates”, version
> 1.6.7, which currently reads as follows:
> The CA and each Delegated Third Party SHALL record details of the
> actions taken to process a certificate request and to issue a
> Certificate, including all information generated and documentation
> received in connection with the certificate request; the time and date;
> and the personnel involved. The CA SHALL make these records available
> to its Qualified Auditor as proof of the CA’s compliance with these
> Requirements.
> The CA SHALL record at least the following events:
>  1. CA key lifecycle management events, including: 
> a. Key generation, backup, storage, recovery, archival,
> and destruction; and 
> b. Cryptographic device lifecycle management events. 
> 2. CA and Subscriber Certificate lifecycle management events, including:
> a.  Certificate requests, issuance, renewal, and re-key requests,
>  and revocation;
> b.  All verification activities stipulated in these Requirements
>  and the CA’s Certification Practice Statement;
> c.  Date, time, phone number used, persons spoken to, and end
>  results of verification telephone calls;
> d.  Acceptance and rejection of certificate requests; Frequency
>  of Processing Log
> e.  Issuance of Certificates; and
> f.  Generation of Certificate Revocation Lists and OCSP entries.
> 3. Security events, including:
> a.  Successful and unsuccessful PKI system access attempts;
> b.  PKI and security system actions performed;
> c.  Security profile changes;
> d.  System crashes, hardware failures, and other anomalies;
> e.  Firewall and router activities; and
> f.  Entries to and exits from the CA facility.
> Insert in Section 1.6.1 (Definitions)  of the “Baseline Requirements for the
> Issuance and Management of Publicly-Trusted Certificates”, the following (after
> the definition of “Certification Practice Statement”):
> Certificate Profile: A set of documents or files that defines requirements for
> Certificate content and Certificate extensions in accordance with Section 7 of
> the Baseline Requirements. e.g. a Section in a CA’s CPS or a certificate
> template file used by CA software.
> Insert, as Section 5.4.1. (Types of events recorded) of the “Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates”, the following:
> Section 5.4.1
> The CA and each Delegated Third Party SHALL record details of the actions taken
> to process a certificate request and to issue a Certificate, including all information
> generated and documentation received in connection with the certificate request;
> the time and date; and the personnel involved. The CA SHALL make these records
> available to its Qualified Auditor as proof of the CA’s compliance with these
> Requirements.
> The CA SHALL record at least the following events:
>
> 1.
>     CA certificate and key lifecycle events, including:
>     1.
>         Key generation, backup, storage, recovery, archival, and destruction; 
>     2.
>         Certificate requests, renewal, and re-key requests, and revocation;
>     3.
>         Approval and rejection of certificate requests; 
>     4.
>         Cryptographic device lifecycle management events;
>     5.
>         Generation of Certificate Revocation Lists and OCSP entries;
>     6.
>         Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.
> 2.
>     Subscriber Certificate lifecycle management events, including:
>     1.
>         Certificate requests, renewal, and re-key requests, and revocation;
>     2.
>         All verification activities stipulated in these Requirements and the CA's Certification Practice Statement;
>     3.
>         Approval and rejection of certificate requests; 
>     4.
>         Issuance of Certificates; and
>     5.
>         Generation of Certificate Revocation Lists and OCSP entries.
> 3.
>     Security events, including:
>     1.
>         Successful and unsuccessful PKI system access attempts;
>     2.
>         PKI and security system actions performed;
>     3.
>         Security profile changes;
>     4.
>         Installation, update and removal of software on a Certificate System; 
>     5.
>         System crashes, hardware failures, and other anomalies;
>     6.
>         Firewall and router activities; and
>     7.
>         Entries to and exits from the CA facility.
>
> Delete the following Section 5.4.3. from the “Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates”, version 1.6.7, which currently
> reads as follows:
> The CA SHALL retain any audit logs generated for at least seven years. The CA
> SHALL make these audit logs available to its Qualified Auditor upon request.
> Insert, as Section 5.4.3. Retention Period for Audit Logs of the “Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates”, the following:
>
> The CA SHALL retain, for at least two years:
>
> 1.
>     CA certificate and key lifecycle management event records (as set forth in Section 5.4.1 (1)) after the later occurrence of:
>     1.
>         the destruction of the CA Private Key; or
>     2.
>         the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 basicConstraints extension with the cA field set to true and which share a common Public Key corresponding to the CA Private Key, whichever event occurs later. 
> 2.
>     Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1 (2)) after the revocation or expiration of the Subscriber Certificate.
> 3.
>     Any security event records (as set forth in Section 5.4.1 (3)) after the event occurred. 
>
> Delete from “Network and Certificate Systems Security Requirements”, Version 1.3,
> Section 3.b
> b.  Identify those Certificate Systems under the control of CA or Delegated
>     Third Party Trusted Roles capable of monitoring and logging system activity
>     and enable those systems to continuously monitor and log system activity;
> Insert new “Network and Certificate Systems Security Requirements”, Version 1.3,
> Section 3.b with the following text:
>
> b.  Identify those Certificate Systems under the control of CA or Delegated
>     Third Party Trusted Roles capable of monitoring and logging system activity,
>     and enable those systems to log and continuously monitor the events specified
>     in Section 5.4.1 (3) of the Baseline Requirements for the Issuance and
>     Management of Publicly-Trusted Certificates;
> *
>
> *— MOTION ENDS —*
>
> *
> Discussion (7+ days)
>
> Start Time: 2020-07-09 17:00:00 UTC
>
> End Time: 2020-07-15 17:00:00 UTC
>
> Vote for approval (7 days)
>
> Start Time : TBD
>
> End Time: TBD
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200709/d4d7e423/attachment-0001.html>


More information about the Servercert-wg mailing list