[Servercert-wg] VOTING BEGINS: SC28v6 - Logging and Log Retention

Wojciech Trapczyński wtrapczynski at certum.pl
Wed Sep 9 22:01:17 MST 2020


Certum votes YES on Ballot SC28v6.

W dniu 03.09.2020 o 14:22, Neil Dunbar via Servercert-wg pisze:
> This begins the voting period for ballot SC28: Logging and Log Retention.
> 
> The ballot has been in heartbeat for some time - hopefully CAs have had 
> the time to look at the issues within during this extended discussion 
> period.
> 
> [The discussion document is attached to this email]
> 
> Current redline:https://github.com/cabforum/documents/compare/16a5a9b...neildunbar:498c5ad
> 
> 
> Purpose of Ballot:
> 
> 
> The proposed changes seek to clarify the relationship between audit
> logging obligations under Network and Certification System Security
> Requirements and Baseline Requirements and to reduce the retention
> period for log data, when appropriate. The proposed change also provides
> clarification by specifically cross-referencing the Baseline Requirements.
> 
> The current log retention requirements for subscriber certificates
> require certificate validation and certificate activity to be retained
> for seven years, while the lifetime of a certificate is only two years.
> There does not seem to be a justification for retaining logs three times
> as long as the lifetime of the certificate. As certificate lifetimes
> move to one year this further supports a reduction in log retention;
> this ballot proposes a sorting of the logged events into logical
> categories, together with a requirement of CAs to retain the data for
> two years after the event has passed (as opposed to the blanket seven
> years which exists as a duty currently).
> 
> The benefit of this ballot is to reduce data retention requirements for
> those log elements which most CAs consider as having limited long-term
> value. As an example, firewall and router activity logs are of
> significant size and thus impose significant storage requirements. These
> logs serve a benefit when investigating a potential security event,
> however, these logs lose value with the passage of time. Logs containing
> firewall traffic that is several years old provide little value in the
> investigation of a contemporary incident. Additionally, certificate
> validation and issuance logs have little value after a certificate has
> expired. The log size for many CAs is measured in terabytes, each year
> and the overhead of storing these logs and monitoring for compliance is
> significant. The benefit for reducing retention is considered high.
> 
> The dicussion document which forms the basis of the ballot is attached
> as a PDF to this email - previous attempts to link to the Google Drive
> document ran up against permission problems in the past.
> 
> Proposal
> 
> The following ballot is proposed by Neil Dunbar of TrustCor Systems and
> endorsed by Trevoli Ponds-White of Amazon and Dustin Hollenback of
> Microsoft.
> 
> *— MOTION BEGINS —*
> 
> Delete the following Section 5.4.1. from the “Baseline Requirements for
> the Issuance and Management of Publicly-Trusted Certificates”, version
> 1.6.7, which currently reads as follows:
> 
> The CA and each Delegated Third Party SHALL record details of the
> actions taken to process a certificate request and to issue a
> Certificate, including all information generated and documentation
> received in connection with the certificate request; the time and date;
> and the personnel involved. The CA SHALL make these records available
> to its Qualified Auditor as proof of the CA’s compliance with these
> Requirements.
> 
> The CA SHALL record at least the following events:
> 
>   1. CA key lifecycle management events, including:
> 
> a. Key generation, backup, storage, recovery, archival,
> and destruction; and
> 
> b. Cryptographic device lifecycle management events.
> 
> 2. CA and Subscriber Certificate lifecycle management events, including:
> 
> a.  Certificate requests, issuance, renewal, and re-key requests,
>   and revocation;
> 
> b.  All verification activities stipulated in these Requirements
>   and the CA’s Certification Practice Statement;
> 
> c.  Date, time, phone number used, persons spoken to, and end
>   results of verification telephone calls;
> 
> d.  Acceptance and rejection of certificate requests; Frequency
>   of Processing Log
> 
> e.  Issuance of Certificates; and
> 
> f.  Generation of Certificate Revocation Lists and OCSP entries.
> 
> 3. Security events, including:
> 
> a.  Successful and unsuccessful PKI system access attempts;
> 
> b.  PKI and security system actions performed;
> 
> c.  Security profile changes;
> 
> d.  System crashes, hardware failures, and other anomalies;
> 
> e.  Firewall and router activities; and
> 
> f.  Entries to and exits from the CA facility.
> 
> Insert in Section 1.6.1 (Definitions)  of the “Baseline Requirements for the
> Issuance and Management of Publicly-Trusted Certificates”, the following (after
> the definition of “Certification Practice Statement”):
> 
> Certificate Profile: A set of documents or files that defines requirements for
> Certificate content and Certificate extensions in accordance with Section 7 of
> the Baseline Requirements. e.g. a Section in a CA’s CPS or a certificate
> template file used by CA software.
> 
> Insert, as Section 5.4.1. (Types of events recorded) of the “Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates”, the following:
> 
> Section 5.4.1
> 
> The CA and each Delegated Third Party SHALL record details of the actions taken
> to process a certificate request and to issue a Certificate, including all information
> generated and documentation received in connection with the certificate request;
> the time and date; and the personnel involved. The CA SHALL make these records
> available to its Qualified Auditor as proof of the CA’s compliance with these
> Requirements.
> 
> The CA SHALL record at least the following events:
> 
>  1.
> 
>     CA certificate and key lifecycle events, including:
> 
>      1.
> 
>         Key generation, backup, storage, recovery, archival, and destruction;
> 
>      2.
> 
>         Certificate requests, renewal, and re-key requests, and revocation;
> 
>      3.
> 
>         Approval and rejection of certificate requests;
> 
>      4.
> 
>         Cryptographic device lifecycle management events;
> 
>      5.
> 
>         Generation of Certificate Revocation Lists and OCSP entries;
> 
>      6.
> 
>         Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.
> 
>  2.
> 
>     Subscriber Certificate lifecycle management events, including:
> 
>      1.
> 
>         Certificate requests, renewal, and re-key requests, and revocation;
> 
>      2.
> 
>         All verification activities stipulated in these Requirements and the CA's Certification Practice Statement;
> 
>      3.
> 
>         Approval and rejection of certificate requests;
> 
>      4.
> 
>         Issuance of Certificates; and
> 
>      5.
> 
>         Generation of Certificate Revocation Lists and OCSP entries.
> 
>  3.
> 
>     Security events, including:
> 
>      1.
> 
>         Successful and unsuccessful PKI system access attempts;
> 
>      2.
> 
>         PKI and security system actions performed;
> 
>      3.
> 
>         Security profile changes;
> 
>      4.
> 
>         Installation, update and removal of software on a Certificate System;
> 
>      5.
> 
>         System crashes, hardware failures, and other anomalies;
> 
>      6.
> 
>         Firewall and router activities; and
> 
>      7.
> 
>         Entries to and exits from the CA facility.
> 
> Delete the following Section 5.4.3. from the “Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates”, version 1.6.7, which currently
> reads as follows:
> 
> The CA SHALL retain any audit logs generated for at least seven years. The CA
> SHALL make these audit logs available to its Qualified Auditor upon request.
> 
> Insert, as Section 5.4.3. Retention Period for Audit Logs of the “Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates”, the following:
> 
> The CA SHALL retain, for at least two years:
> 
>  1.
> 
>     CA certificate and key lifecycle management event records (as set forth in Section 5.4.1 (1)) after the later occurrence of:
> 
>      1.
> 
>         the destruction of the CA Private Key; or
> 
>      2.
> 
>         the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 basicConstraints extension with the cA field set to true and which share a common Public Key corresponding to the CA Private Key;
> 
>  2.
> 
>     Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1 (2)) after the revocation or expiration of the Subscriber Certificate.
> 
>  3.
> 
>     Any security event records (as set forth in Section 5.4.1 (3)) after the event occurred.
> 
> Delete from “Network and Certificate Systems Security Requirements”, Version 1.3,
> Section 3.b
> 
> b.  Identify those Certificate Systems under the control of CA or Delegated
>      Third Party Trusted Roles capable of monitoring and logging system activity
>      and enable those systems to continuously monitor and log system activity;
> 
> Insert new “Network and Certificate Systems Security Requirements”, Version 1.3,
> Section 3.b with the following text:
> 
> b.  Identify those Certificate Systems under the control of CA or Delegated
>      Third Party Trusted Roles capable of monitoring and logging system activity,
>      and enable those systems to log and continuously monitor the events specified
>      in Section 5.4.1 (3) of the Baseline Requirements for the Issuance and
>      Management of Publicly-Trusted Certificates;
> 
> *
> 
> *— MOTION ENDS —*
> 
> *
> 
> Discussion (7+ days)
> 
> Start Time: 2020-07-10 17:00:00 UTC
> 
> End Time: 2020-08-28 17:00:00 UTC
> 
> Vote for approval (7 days)
> 
> Start Time : 2020-09-03 17:00:00 UTC
> 
> End Time: 2020-09-10 17:00:00 UTC
> 
> 
> Treść wiadomości zostanie pobrana na żądanie.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3765 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200910/30d5f7fa/attachment.p7s>


More information about the Servercert-wg mailing list