[Servercert-wg] Potential addition to Cleanups and Clarifications Ballot about Section 5.4.1

Fri May 15 08:46:37 MST 2020

On Thu, May 14, 2020 at 8:24 PM Wayne Thayer via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> On Thu, May 14, 2020 at 4:17 PM Ponds-White, Trevoli via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> As a part of the network security meetings we’ve been looking a lot at
>> the requirements related to logging procedures. One question that came up
>> is whether or not the last 4 lines of section 5.4.1 are a subset of 3.f or
>> part of section 5.4.1 as a whole. Because of the tabbing the format of the
>> last 4 lines looks like it’s part of section 5.4.1 as a whole but when you
>> read it it doesn’t seem consistent with that section and makes more sense
>> as being specifically a part of 5.4.1.3.f.
>>
>>
>>
>> If it’s supposed to be part of 3.f can it be reformatted in the cleanup
>> ballot? If there is consensus that it’s not a part of 3.f the net sec group
>> can include an edit to the language in an upcoming ballot. We have a draft
>> ballot with a relevant reason to edit the list IF it’s not a subset of 3.f.
>>
>>
>>
>> To give you an idea here are the last 11 lines of section 5.4.1.
>>
>>
>>
>> Security events, including:
>>
>> a.       Successful and unsuccessful PKI system access attempts;
>>
>> b.       PKI and security system actions performed;
>>
>> c.       Security profile changes;
>>
>> d.       System crashes, hardware failures, and other anomalies;
>>
>> e.       Firewall and router activities; and
>>
>> f.        Entries to and exits from the CA facility.
>>
>>
>>
>> Log entries MUST include the following elements:
>>
>> 1.       Date and time of entry;
>>
>> 2.       Identity of the person making the journal entry; and
>>
>> 3.       Description of the entry.
>>
>>
>>
>> Thoughts?
>>
>>
> I can see the potential for confusion over the contet of "entry", but I'm
> almost certain that those last 4 lines apply to the entire section, not
> just 3(f). It's perhaps a bit clearer back in V1 (section 15.2):
> https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf
>

I agree with Wayne. Thanks for digging up the older version, that's
definitely useful!

The section cited is effectively a restatement of the requirement in the
opening paragraph of 5.4.1, by trying to make it clearer that the level of
detail required to fulfill that paragraph 1 requirement is at the recorded
event level, and not just in aggregate. Perhaps just rewording "log
entries" to say "recorded events", which would provide symmetry to the
overall section?

I filed https://github.com/cabforum/documents/issues/180 just to be able to
track the question and resolution :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200515/e6e8a6ef/attachment-0001.html>