[Servercert-wg] Voting Ends Tomorrow on Ballot SC28v6 - Logging and Log Retention

Wayne Thayer wthayer at gmail.com
Wed Sep 9 09:47:15 MST 2020


Reminder: Voting ends Thursday September 10th at 17:00 UTC on Ballot
SC28v6: Logging and Log Retention

On Thu, Sep 3, 2020 at 5:22 AM Neil Dunbar via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> This begins the voting period for ballot SC28: Logging and Log Retention.
>
> The ballot has been in heartbeat for some time - hopefully CAs have had
> the time to look at the issues within during this extended discussion
> period.
>
> [The discussion document is attached to this email]
>
> Current redline: https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad
>
>
> Purpose of Ballot:
>
> The proposed changes seek to clarify the relationship between audit
> logging obligations under Network and Certification System Security
> Requirements and Baseline Requirements and to reduce the retention period
> for log data, when appropriate. The proposed change also provides
> clarification by specifically cross-referencing the Baseline Requirements.
> The current log retention requirements for subscriber certificates require
> certificate validation and certificate activity to be retained for seven
> years, while the lifetime of a certificate is only two years. There does
> not seem to be a justification for retaining logs three times as long as
> the lifetime of the certificate. As certificate lifetimes move to one year
> this further supports a reduction in log retention; this ballot proposes a
> sorting of the logged events into logical categories, together with a
> requirement of CAs to retain the data for two years after the event has
> passed (as opposed to the blanket seven years which exists as a duty
> currently). The benefit of this ballot is to reduce data retention
> requirements for those log elements which most CAs consider as having
> limited long-term value. As an example, firewall and router activity logs
> are of significant size and thus impose significant storage requirements.
> These logs serve a benefit when investigating a potential security event,
> however, these logs lose value with the passage of time. Logs containing
> firewall traffic that is several years old provide little value in the
> investigation of a contemporary incident. Additionally, certificate
> validation and issuance logs have little value after a certificate has
> expired. The log size for many CAs is measured in terabytes, each year and
> the overhead of storing these logs and monitoring for compliance is
> significant. The benefit for reducing retention is considered high. The
> dicussion document which forms the basis of the ballot is attached as a PDF
> to this email - previous attempts to link to the Google Drive document ran
> up against permission problems in the past. Proposal The following ballot
> is proposed by Neil Dunbar of TrustCor Systems and endorsed by Trevoli
> Ponds-White of Amazon and Dustin Hollenback of Microsoft.
>
> *— MOTION BEGINS —*
>
> Delete the following Section 5.4.1. from the “Baseline Requirements for
> the Issuance and Management of Publicly-Trusted Certificates”, version
> 1.6.7, which currently reads as follows:
>
> The CA and each Delegated Third Party SHALL record details of the
> actions taken to process a certificate request and to issue a
> Certificate, including all information generated and documentation
> received in connection with the certificate request; the time and date;
> and the personnel involved. The CA SHALL make these records available
> to its Qualified Auditor as proof of the CA’s compliance with these
> Requirements.
>
> The CA SHALL record at least the following events:
>
>  1. CA key lifecycle management events, including:
>
> a. Key generation, backup, storage, recovery, archival,
> and destruction; and
>
> b. Cryptographic device lifecycle management events.
>
> 2. CA and Subscriber Certificate lifecycle management events, including:
>
> a.  Certificate requests, issuance, renewal, and re-key requests,
>  and revocation;
>
> b.  All verification activities stipulated in these Requirements
>  and the CA’s Certification Practice Statement;
>
> c.  Date, time, phone number used, persons spoken to, and end
>  results of verification telephone calls;
>
> d.  Acceptance and rejection of certificate requests; Frequency
>  of Processing Log
>
> e.  Issuance of Certificates; and
>
> f.  Generation of Certificate Revocation Lists and OCSP entries.
>
> 3. Security events, including:
>
> a.  Successful and unsuccessful PKI system access attempts;
>
> b.  PKI and security system actions performed;
>
> c.  Security profile changes;
>
> d.  System crashes, hardware failures, and other anomalies;
>
> e.  Firewall and router activities; and
>
> f.  Entries to and exits from the CA facility.
>
> Insert in Section 1.6.1 (Definitions)  of the “Baseline Requirements for the
> Issuance and Management of Publicly-Trusted Certificates”, the following (after
> the definition of “Certification Practice Statement”):
>
> Certificate Profile: A set of documents or files that defines requirements for
> Certificate content and Certificate extensions in accordance with Section 7 of
> the Baseline Requirements. e.g. a Section in a CA’s CPS or a certificate
> template file used by CA software.
>
> Insert, as Section 5.4.1. (Types of events recorded) of the “Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates”, the following:
>
> Section 5.4.1
>
> The CA and each Delegated Third Party SHALL record details of the actions taken
> to process a certificate request and to issue a Certificate, including all information
> generated and documentation received in connection with the certificate request;
> the time and date; and the personnel involved. The CA SHALL make these records
> available to its Qualified Auditor as proof of the CA’s compliance with these
> Requirements.
>
> The CA SHALL record at least the following events:
>
>
>    1.
>
>    CA certificate and key lifecycle events, including:
>
>    1.
>
>       Key generation, backup, storage, recovery, archival, and destruction;
>
>       2.
>
>       Certificate requests, renewal, and re-key requests, and revocation;
>
>       3.
>
>       Approval and rejection of certificate requests;
>
>       4.
>
>       Cryptographic device lifecycle management events;
>
>       5.
>
>       Generation of Certificate Revocation Lists and OCSP entries;
>
>       6.
>
>       Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.
>
>       2.
>
>    Subscriber Certificate lifecycle management events, including:
>
>    1.
>
>       Certificate requests, renewal, and re-key requests, and revocation;
>
>       2.
>
>       All verification activities stipulated in these Requirements and the CA's Certification Practice Statement;
>
>       3.
>
>       Approval and rejection of certificate requests;
>
>       4.
>
>       Issuance of Certificates; and
>
>       5.
>
>       Generation of Certificate Revocation Lists and OCSP entries.
>
>       3.
>
>    Security events, including:
>
>    1.
>
>       Successful and unsuccessful PKI system access attempts;
>
>       2.
>
>       PKI and security system actions performed;
>
>       3.
>
>       Security profile changes;
>
>       4.
>
>       Installation, update and removal of software on a Certificate System;
>
>       5.
>
>       System crashes, hardware failures, and other anomalies;
>
>       6.
>
>       Firewall and router activities; and
>
>       7.
>
>       Entries to and exits from the CA facility.
>
>
> Delete the following Section 5.4.3. from the “Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates”, version 1.6.7, which currently
> reads as follows:
>
> The CA SHALL retain any audit logs generated for at least seven years. The CA
> SHALL make these audit logs available to its Qualified Auditor upon request.
>
> Insert, as Section 5.4.3. Retention Period for Audit Logs of the “Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates”, the following:
>
>
> The CA SHALL retain, for at least two years:
>
>
>
>    1.
>
>    CA certificate and key lifecycle management event records (as set forth in Section 5.4.1 (1)) after the later occurrence of:
>
>    1.
>
>       the destruction of the CA Private Key; or
>
>       2.
>
>       the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 basicConstraints extension with the cA field set to true and which share a common Public Key corresponding to the CA Private Key;
>
>       2.
>
>    Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1 (2)) after the revocation or expiration of the Subscriber Certificate.
>
>    3.
>
>    Any security event records (as set forth in Section 5.4.1 (3)) after the event occurred.
>
>
> Delete from “Network and Certificate Systems Security Requirements”, Version 1.3,
> Section 3.b
>
> b.  Identify those Certificate Systems under the control of CA or Delegated
>     Third Party Trusted Roles capable of monitoring and logging system activity
>     and enable those systems to continuously monitor and log system activity;
>
> Insert new “Network and Certificate Systems Security Requirements”, Version 1.3,
> Section 3.b with the following text:
>
>
> b.  Identify those Certificate Systems under the control of CA or Delegated
>     Third Party Trusted Roles capable of monitoring and logging system activity,
>     and enable those systems to log and continuously monitor the events specified
>     in Section 5.4.1 (3) of the Baseline Requirements for the Issuance and
>     Management of Publicly-Trusted Certificates;
>
> **— MOTION ENDS —**
>
> Discussion (7+ days)
>
> Start Time: 2020-07-10 17:00:00 UTC
>
> End Time: 2020-08-28 17:00:00 UTC
>
> Vote for approval (7 days)
>
> Start Time : 2020-09-03 17:00:00 UTC
>
> End Time: 2020-09-10 17:00:00 UTC
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200909/3e249640/attachment-0001.html>


More information about the Servercert-wg mailing list