[Servercert-wg] Potential addition to Cleanups and Clarifications Ballot about Section 5.4.1

[Ponds-White, Trevoli]

Thanks, I’d always read it as applying to the whole section. But started to doubt this interpretation the more I read it. I think it would help to make the wording consistent with the section. The NetSec group can change it in an upcoming ballot that touches this section.


From: Ryan Sleevi <sleevi at google.com>
Sent: Friday, May 15, 2020 8:47
To: Wayne Thayer <wthayer at gmail.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Cc: Ponds-White, Trevoli <trevolip at amazon.com>
Subject: RE: [EXTERNAL] [Servercert-wg] Potential addition to Cleanups and Clarifications Ballot about Section 5.4.1


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.




On Thu, May 14, 2020 at 8:24 PM Wayne Thayer via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:
On Thu, May 14, 2020 at 4:17 PM Ponds-White, Trevoli via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:
As a part of the network security meetings we’ve been looking a lot at the requirements related to logging procedures. One question that came up is whether or not the last 4 lines of section 5.4.1 are a subset of 3.f or part of section 5.4.1 as a whole. Because of the tabbing the format of the last 4 lines looks like it’s part of section 5.4.1 as a whole but when you read it it doesn’t seem consistent with that section and makes more sense as being specifically a part of 5.4.1.3.f.

If it’s supposed to be part of 3.f can it be reformatted in the cleanup ballot? If there is consensus that it’s not a part of 3.f the net sec group can include an edit to the language in an upcoming ballot. We have a draft ballot with a relevant reason to edit the list IF it’s not a subset of 3.f.

To give you an idea here are the last 11 lines of section 5.4.1.

Security events, including:

a.       Successful and unsuccessful PKI system access attempts;

b.       PKI and security system actions performed;

c.       Security profile changes;

d.       System crashes, hardware failures, and other anomalies;

e.       Firewall and router activities; and

f.        Entries to and exits from the CA facility.

Log entries MUST include the following elements:

1.       Date and time of entry;

2.       Identity of the person making the journal entry; and

3.       Description of the entry.

Thoughts?

I can see the potential for confusion over the contet of "entry", but I'm almost certain that those last 4 lines apply to the entire section, not just 3(f). It's perhaps a bit clearer back in V1 (section 15.2): https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf

I agree with Wayne. Thanks for digging up the older version, that's definitely useful!

The section cited is effectively a restatement of the requirement in the opening paragraph of 5.4.1, by trying to make it clearer that the level of detail required to fulfill that paragraph 1 requirement is at the recorded event level, and not just in aggregate. Perhaps just rewording "log entries" to say "recorded events", which would provide symmetry to the overall section?

I filed https://github.com/cabforum/documents/issues/180 just to be able to track the question and resolution :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200518/cdef8ed1/attachment.html>