[Servercert-wg] VOTING BEGINS: SC28v6 - Logging and Log Retention

Pedro FUENTES pfuentes at WISEKEY.COM
Tue Sep 8 08:19:29 MST 2020 

OISTE votes "yes" on Ballot SC28v6 

> On 3 Sep 2020, at 14:22, Neil Dunbar via Servercert-wg <servercert-wg at cabforum.org> wrote:
> 
> This begins the voting period for ballot SC28: Logging and Log Retention.
> 
> The ballot has been in heartbeat for some time - hopefully CAs have had the time to look at the issues within during this extended discussion period.
> 
> [The discussion document is attached to this email]
> 
> Current redline: https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad <https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad>
> 
> Purpose of Ballot:
> 
> The proposed changes seek to clarify the relationship between audit
> logging obligations under Network and Certification System Security
> Requirements and Baseline Requirements and to reduce the retention
> period for log data, when appropriate. The proposed change also provides
> clarification by specifically cross-referencing the Baseline Requirements.
> 
> The current log retention requirements for subscriber certificates
> require certificate validation and certificate activity to be retained
> for seven years, while the lifetime of a certificate is only two years.
> There does not seem to be a justification for retaining logs three times
> as long as the lifetime of the certificate. As certificate lifetimes
> move to one year this further supports a reduction in log retention;
> this ballot proposes a sorting of the logged events into logical
> categories, together with a requirement of CAs to retain the data for
> two years after the event has passed (as opposed to the blanket seven
> years which exists as a duty currently).
> 
> The benefit of this ballot is to reduce data retention requirements for
> those log elements which most CAs consider as having limited long-term
> value. As an example, firewall and router activity logs are of
> significant size and thus impose significant storage requirements. These
> logs serve a benefit when investigating a potential security event,
> however, these logs lose value with the passage of time. Logs containing
> firewall traffic that is several years old provide little value in the
> investigation of a contemporary incident. Additionally, certificate
> validation and issuance logs have little value after a certificate has
> expired. The log size for many CAs is measured in terabytes, each year
> and the overhead of storing these logs and monitoring for compliance is
> significant. The benefit for reducing retention is considered high.
> 
> The dicussion document which forms the basis of the ballot is attached
> as a PDF to this email - previous attempts to link to the Google Drive
> document ran up against permission problems in the past.
> 
> Proposal
> 
> The following ballot is proposed by Neil Dunbar of TrustCor Systems and
> endorsed by Trevoli Ponds-White of Amazon and Dustin Hollenback of
> Microsoft.
> *— MOTION BEGINS —*
> 
> Delete the following Section 5.4.1. from the “Baseline Requirements for
> the Issuance and Management of Publicly-Trusted Certificates”, version
> 1.6.7, which currently reads as follows:
> The CA and each Delegated Third Party SHALL record details of the
> actions taken to process a certificate request and to issue a
> Certificate, including all information generated and documentation
> received in connection with the certificate request; the time and date;
> and the personnel involved. The CA SHALL make these records available
> to its Qualified Auditor as proof of the CA’s compliance with these
> Requirements.
> The CA SHALL record at least the following events:
>  1. CA key lifecycle management events, including: 
> a. Key generation, backup, storage, recovery, archival,
> and destruction; and 
> b. Cryptographic device lifecycle management events. 
> 2. CA and Subscriber Certificate lifecycle management events, including:
> a.  Certificate requests, issuance, renewal, and re-key requests,
>  and revocation;
> b.  All verification activities stipulated in these Requirements
>  and the CA’s Certification Practice Statement;
> c.  Date, time, phone number used, persons spoken to, and end
>  results of verification telephone calls;
> d.  Acceptance and rejection of certificate requests; Frequency
>  of Processing Log
> e.  Issuance of Certificates; and
> f.  Generation of Certificate Revocation Lists and OCSP entries.
> 3. Security events, including:
> a.  Successful and unsuccessful PKI system access attempts;
> b.  PKI and security system actions performed;
> c.  Security profile changes;
> d.  System crashes, hardware failures, and other anomalies;
> e.  Firewall and router activities; and
> f.  Entries to and exits from the CA facility.
> Insert in Section 1.6.1 (Definitions)  of the “Baseline Requirements for the
> Issuance and Management of Publicly-Trusted Certificates”, the following (after
> the definition of “Certification Practice Statement”):
> Certificate Profile: A set of documents or files that defines requirements for
> Certificate content and Certificate extensions in accordance with Section 7 of
> the Baseline Requirements. e.g. a Section in a CA’s CPS or a certificate
> template file used by CA software.
> Insert, as Section 5.4.1. (Types of events recorded) of the “Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates”, the following:
> Section 5.4.1
> The CA and each Delegated Third Party SHALL record details of the actions taken
> to process a certificate request and to issue a Certificate, including all information
> generated and documentation received in connection with the certificate request;
> the time and date; and the personnel involved. The CA SHALL make these records
> available to its Qualified Auditor as proof of the CA’s compliance with these
> Requirements.
> The CA SHALL record at least the following events:
> CA certificate and key lifecycle events, including:
> Key generation, backup, storage, recovery, archival, and destruction; 
> Certificate requests, renewal, and re-key requests, and revocation;
> Approval and rejection of certificate requests; 
> Cryptographic device lifecycle management events;
> Generation of Certificate Revocation Lists and OCSP entries;
> Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.
> Subscriber Certificate lifecycle management events, including:
> Certificate requests, renewal, and re-key requests, and revocation;
> All verification activities stipulated in these Requirements and the CA's Certification Practice Statement;
> Approval and rejection of certificate requests; 
> Issuance of Certificates; and
> Generation of Certificate Revocation Lists and OCSP entries.
> Security events, including:
> Successful and unsuccessful PKI system access attempts;
> PKI and security system actions performed;
> Security profile changes;
> Installation, update and removal of software on a Certificate System; 
> System crashes, hardware failures, and other anomalies;
> Firewall and router activities; and
> Entries to and exits from the CA facility.
> Delete the following Section 5.4.3. from the “Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates”, version 1.6.7, which currently
> reads as follows:
> The CA SHALL retain any audit logs generated for at least seven years. The CA
> SHALL make these audit logs available to its Qualified Auditor upon request.
> Insert, as Section 5.4.3. Retention Period for Audit Logs of the “Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates”, the following:
> 
> The CA SHALL retain, for at least two years:
> 
> CA certificate and key lifecycle management event records (as set forth in Section 5.4.1 (1)) after the later occurrence of:
> the destruction of the CA Private Key; or
> the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 basicConstraints extension with the cA field set to true and which share a common Public Key corresponding to the CA Private Key; 
> Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1 (2)) after the revocation or expiration of the Subscriber Certificate.
> Any security event records (as set forth in Section 5.4.1 (3)) after the event occurred. 
> Delete from “Network and Certificate Systems Security Requirements”, Version 1.3,
> Section 3.b
> b.  Identify those Certificate Systems under the control of CA or Delegated
>     Third Party Trusted Roles capable of monitoring and logging system activity
>     and enable those systems to continuously monitor and log system activity;
> Insert new “Network and Certificate Systems Security Requirements”, Version 1.3,
> Section 3.b with the following text:
> 
> b.  Identify those Certificate Systems under the control of CA or Delegated
>     Third Party Trusted Roles capable of monitoring and logging system activity,
>     and enable those systems to log and continuously monitor the events specified
>     in Section 5.4.1 (3) of the Baseline Requirements for the Issuance and
>     Management of Publicly-Trusted Certificates;
> *— MOTION ENDS —*
> 
> Discussion (7+ days)
> 
> Start Time: 2020-07-10 17:00:00 UTC
> 
> End Time: 2020-08-28 17:00:00 UTC
> 
> Vote for approval (7 days)
> 
> Start Time : 2020-09-03 17:00:00 UTC
> 
> End Time: 2020-09-10 17:00:00 UTC
> <Ballot SC28_ Logging and Log Retention Additional Reduced Retention.pdf>_______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg


WISeKey SA
Pedro Fuentes
CSO - Trust Services Manager
Office: + 41 (0) 22 594 30 00
Mobile: + 41 (0) 791 274 790
Address: 29, Rte de Pré-Bois - CP 853 | Geneva 1215 CH - Switzerland
Stay connected with WISeKey <http://www.wisekey.com/>

THIS IS A TRUSTED MAIL: This message is digitally signed with a WISeKey identity. If you get a mail from WISeKey please check the signature to avoid security risks

CONFIDENTIALITY: This email and any files transmitted with it can be confidential and it’s intended solely for the use of the individual or entity to which they are addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this email in error please notify the sender

DISCLAIMER: WISeKey does not warrant the accuracy or completeness of this message and does not accept any liability for any errors or omissions herein as this message has been transmitted over a public network. Internet communications cannot be guaranteed to be secure or error-free as information may be intercepted, corrupted, or contain viruses. Attachments to this e-mail are checked for viruses; however, we do not accept any liability for any damage sustained by viruses and therefore you are kindly requested to check for viruses upon receipt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200908/c388db00/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3398 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200908/c388db00/attachment-0001.p7s>

More information about the Servercert-wg mailing list