[Servercert-wg] Ballot SC28: Logging and Log Retention

Neil Dunbar ndunbar at trustcorsystems.com
Wed May 27 07:38:55 MST 2020


This begins the discussion period for the Ballot SC28: Logging and Log
Retention

Purpose of Ballot:

The proposed changes seek to clarify the relationship between audit
logging obligations under Network and Certification System Security
Requirements and Baseline Requirements and to reduce the retention
period for log data, when appropriate. The proposed change also provides
clarification by specifically cross-referencing the Baseline Requirements.

The current log retention requirements for subscriber certificates
require certificate validation and certificate activity to be retained
for seven years, while the lifetime of a certificate is only two years.
There does not seem to be a justification for retaining logs three times
as long as the lifetime of the certificate. As certificate lifetimes
move to one year this further supports a reduction in log retention;
this ballot proposes a sorting of the logged events into logical
categories, together with a requirement of CAs to retain the data for
two years after the event has passed (as opposed to the blanket seven
years which exists as a duty currently).

The benefit of this ballot is to reduce data retention requirements for
those log elements which most CAs consider as having limited long-term
value. As an example, firewall and router activity logs are of
significant size and thus impose significant storage requirements. These
logs serve a benefit when investigating a potential security event,
however, these logs lose value with the passage of time. Logs containing
firewall traffic that is several years old provide little value in the
investigation of a contemporary incident. Additionally, certificate
validation and issuance logs have little value after a certificate has
expired. The log size for many CAs is measured in terabytes, each year
and the overhead of storing these logs and monitoring for compliance is
significant. The benefit for reducing retention is considered high.

The dicussion document which forms the basis of the ballot is attached
as a PDF to this email - previous attempts to link to the Google Drive
document ran up against permission problems in the past.

Proposal

The following ballot is proposed by Neil Dunbar of TrustCor Systems and
endorsed by Trevoli Ponds-White of Amazon and Dustin Hollenback of
Microsoft.

*— MOTION BEGINS —*

Delete the following Section 5.4.1. from the “Baseline Requirements for
the Issuance and Management of Publicly-Trusted Certificates”, version
1.6.7, which currently reads as follows:

The CA and each Delegated Third Party SHALL record details of the
actions taken to process a certificate request and to issue a
Certificate, including all information generated and documentation
received in connection with the certificate request; the time and date;
and the personnel involved. The CA SHALL make these records available to
its Qualified Auditor as proof of the CA’s compliance with these
Requirements.

The CA SHALL record at least the following events:

 1. CA key lifecycle management events, including:

    a. Key generation, backup, storage, recovery, archival, and
destruction; and

    b. Cryptographic device lifecycle management events.

2. CA and Subscriber Certificate lifecycle management events, including:

    a.           Certificate requests, issuance, renewal, and re-key
requests, and revocation;

    b.          All verification activities stipulated in these
Requirements and the CA’s Certification Practice Statement;

    c.           Date, time, phone number used, persons spoken to, and
end results of verification telephone calls;

    d.          Acceptance and rejection of certificate requests;
Frequency of Processing Log

    e.           Issuance of Certificates; and

    f.            Generation of Certificate Revocation Lists and OCSP
entries.

3.          Security events, including:

    a.           Successful and unsuccessful PKI system access attempts;

    b.          PKI and security system actions performed;

    c.           Security profile changes;

    d.          System crashes, hardware failures, and other anomalies;

    e.           Firewall and router activities; and

    f.            Entries to and exits from the CA facility.

Insert, as Section 5.4.1. (Types of events recorded) of the “Baseline
Requirements for the Issuance and Management of Publicly-Trusted
Certificates”, the following:

Section 5.4.1

The CA and each Delegated Third Party SHALL record details of the
actions taken to process a certificate request and to issue a
Certificate, including all information generated and documentation
received in connection with the certificate request; the time and date;
and the personnel involved. The CA SHALL make these records available to
its Qualified Auditor as proof of the CA’s compliance with these
Requirements.

The CA SHALL record at least the following events:

    1. CA certificate and key lifecycle events, including:

        1. Key generation, backup, storage, recovery, archival, and
destruction;

        2. Certificate requests, renewal, and re-key requests, and
revocation;

        3. Approval and rejection of certificate requests;

        4. Cryptographic device lifecycle management events;

        5. Generation of Certificate Revocation Lists and OCSP entries.

    2. Subscriber Certificate lifecycle management events, including:

        1. Certificate requests, renewal, and re-key requests, and
revocation;

        2. All verification activities stipulated in these Requirements
and the CA's Certification Practice Statement;

        3. Approval and rejection of certificate requests;

        4. Issuance of Certificates; and

        5. Generation of Certificate Revocation Lists and OCSP entries.

    3. Security events, including:

        1. Successful and unsuccessful PKI system access attempts;

        2. PKI and security system actions performed;

        3. Security profile changes;

        4. System crashes, hardware failures, and other anomalies;

        5. Firewall and router activities; and

        6. Entries to and exits from the CA facility.

Delete the following Section 5.4.3. from the “Baseline Requirements for
the Issuance and Management of Publicly-Trusted Certificates”, version
1.6.7, which currently reads as follows:

    The CA SHALL retain any audit logs generated for at least seven
years. The CA SHALL make these audit logs available to its Qualified
Auditor upon request.

Insert, as Section 5.4.3. Retention Period for Audit Logs of the
“Baseline Requirements for the Issuance and Management of
Publicly-Trusted Certificates”, the following:

    The CA SHALL retain, for at least two years:

        1. CA certificate and key lifecycle management event records (as
set forth in Section 5.4.1.1) after either: the destruction of the CA
key, or the revocation or expiration of the CA certificate, whichever
occurs later.

        2. Subscriber Certificate lifecycle management event records (as
set forth in Section 5.4.1.2) after the revocation or expiration of the
Subscriber Certificate

        3. any security event records (as set forth in Section 5.4.1.3)
after the event occured.

Delete from “Network and Certificate Systems Security Requirements”,
Version 1.3, Section 3.b

    b.  Identify those Certificate Systems under the control of CA or
Delegated Third Party Trusted Roles capable of monitoring and logging
system activity and enable those systems to continuously monitor and log
system activity;

Insert new “Network and Certificate Systems Security Requirements”,
Version 1.3, Section 3.b with the following text:

    b.  Identify those Certificate Systems under the control of CA or
Delegated Third Party Trusted Roles capable of monitoring and logging
system activity, and enable those systems to log and continuously
monitor the events specified in Section 5.4.1.3 of the Baseline
Requirements for the Issuance and Management of Publicly-Trusted
Certificates;

*— MOTION ENDS —*

*** WARNING ***: USE AT YOUR OWN RISK.  THE REDLINE BELOW IS NOT THE
OFFICIAL VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):

A comparison of the changes can be found at:

https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:05b8c25

Effective as of the date this Ballot becomes incorporated into a Final
Guideline.

This ballot proposes two Final Maintenance Guidelines

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 2020-05-27 17:00:00 UTC

End Time: 2020-06-10 17:00:00 UTC

Vote for approval (7 days)

Start Time : TBD

End Time: TBD

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Ballot SC28_ Logging and Log Retention Additional Reduced Retention.pdf
Type: application/pdf
Size: 73340 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200527/75d047ae/attachment-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1774 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200527/75d047ae/attachment-0001.bin>


More information about the Servercert-wg mailing list