[Servercert-wg] VOTING BEGINS: SC28v6 - Logging and Log Retention

Tobias S. Josefowitz tobij at opera.com
Thu Sep 10 08:52:27 MST 2020 

Opera votes YES on Ballot SC28v6.

On Thu, 3 Sep 2020, Neil Dunbar via Servercert-wg wrote:

> *? MOTION BEGINS ?*
>
> Delete the following Section 5.4.1. from the ?Baseline Requirements for
> the Issuance and Management of Publicly-Trusted Certificates?, version
> 1.6.7, which currently reads as follows:
>
> The CA and each Delegated Third Party SHALL record details of the
> actions taken to process a certificate request and to issue a
> Certificate, including all information generated and documentation
> received in connection with the certificate request; the time and date;
> and the personnel involved. The CA SHALL make these records available
> to its Qualified Auditor as proof of the CA?s compliance with these
> Requirements.
>
> The CA SHALL record at least the following events:
>
>  1. CA key lifecycle management events, including: 
>
> a. Key generation, backup, storage, recovery, archival,
> and destruction; and 
>
> b. Cryptographic device lifecycle management events. 
>
> 2. CA and Subscriber Certificate lifecycle management events, including:
>
> a.  Certificate requests, issuance, renewal, and re-key requests,
>  and revocation;
>
> b.  All verification activities stipulated in these Requirements
>  and the CA?s Certification Practice Statement;
>
> c.  Date, time, phone number used, persons spoken to, and end
>  results of verification telephone calls;
>
> d.  Acceptance and rejection of certificate requests; Frequency
>  of Processing Log
>
> e.  Issuance of Certificates; and
>
> f.  Generation of Certificate Revocation Lists and OCSP entries.
>
> 3. Security events, including:
>
> a.  Successful and unsuccessful PKI system access attempts;
>
> b.  PKI and security system actions performed;
>
> c.  Security profile changes;
>
> d.  System crashes, hardware failures, and other anomalies;
>
> e.  Firewall and router activities; and
>
> f.  Entries to and exits from the CA facility.
>
> Insert in Section 1.6.1 (Definitions)  of the ?Baseline Requirements for the
> Issuance and Management of Publicly-Trusted Certificates?, the following (after
> the definition of ?Certification Practice Statement?):
>
> Certificate Profile: A set of documents or files that defines requirements for
> Certificate content and Certificate extensions in accordance with Section 7 of
> the Baseline Requirements. e.g. a Section in a CA?s CPS or a certificate
> template file used by CA software.
>
> Insert, as Section 5.4.1. (Types of events recorded) of the ?Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates?, the following:
>
> Section 5.4.1
>
> The CA and each Delegated Third Party SHALL record details of the actions taken
> to process a certificate request and to issue a Certificate, including all information
> generated and documentation received in connection with the certificate request;
> the time and date; and the personnel involved. The CA SHALL make these records
> available to its Qualified Auditor as proof of the CA?s compliance with these
> Requirements.
>
> The CA SHALL record at least the following events:
>
> 1.
>
>    CA certificate and key lifecycle events, including:
>
>     1.
>
>        Key generation, backup, storage, recovery, archival, and destruction; 
>
>     2.
>
>        Certificate requests, renewal, and re-key requests, and revocation;
>
>     3.
>
>        Approval and rejection of certificate requests; 
>
>     4.
>
>        Cryptographic device lifecycle management events;
>
>     5.
>
>        Generation of Certificate Revocation Lists and OCSP entries;
>
>     6.
>
>        Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.
>
> 2.
>
>    Subscriber Certificate lifecycle management events, including:
>
>     1.
>
>        Certificate requests, renewal, and re-key requests, and revocation;
>
>     2.
>
>        All verification activities stipulated in these Requirements and the CA's Certification Practice Statement;
>
>     3.
>
>        Approval and rejection of certificate requests; 
>
>     4.
>
>        Issuance of Certificates; and
>
>     5.
>
>        Generation of Certificate Revocation Lists and OCSP entries.
>
> 3.
>
>    Security events, including:
>
>     1.
>
>        Successful and unsuccessful PKI system access attempts;
>
>     2.
>
>        PKI and security system actions performed;
>
>     3.
>
>        Security profile changes;
>
>     4.
>
>        Installation, update and removal of software on a Certificate System; 
>
>     5.
>
>        System crashes, hardware failures, and other anomalies;
>
>     6.
>
>        Firewall and router activities; and
>
>     7.
>
>        Entries to and exits from the CA facility.
>
> Delete the following Section 5.4.3. from the ?Baseline Requirements for the Issuance
> and Management of Publicly-Trusted Certificates?, version 1.6.7, which currently
> reads as follows:
>
> The CA SHALL retain any audit logs generated for at least seven years. The CA
> SHALL make these audit logs available to its Qualified Auditor upon request.
>
> Insert, as Section 5.4.3. Retention Period for Audit Logs of the ?Baseline Requirements
> for the Issuance and Management of Publicly-Trusted Certificates?, the following:
>
> The CA SHALL retain, for at least two years:
>
> 1.
>
>    CA certificate and key lifecycle management event records (as set forth in Section 5.4.1 (1)) after the later occurrence of:
>
>     1.
>
>        the destruction of the CA Private Key; or
>
>     2.
>
>        the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 basicConstraints extension with the cA field set to true and which share a common Public Key corresponding to the CA Private Key;
>
> 2.
>
>    Subscriber Certificate lifecycle management event records (as set forth in Section 5.4.1 (2)) after the revocation or expiration of the Subscriber Certificate.
>
> 3.
>
>    Any security event records (as set forth in Section 5.4.1 (3)) after the event occurred. 
>
> Delete from ?Network and Certificate Systems Security Requirements?, Version 1.3,
> Section 3.b
>
> b.  Identify those Certificate Systems under the control of CA or Delegated
>    Third Party Trusted Roles capable of monitoring and logging system activity
>    and enable those systems to continuously monitor and log system activity;
>
> Insert new ?Network and Certificate Systems Security Requirements?, Version 1.3,
> Section 3.b with the following text:
>
> b.  Identify those Certificate Systems under the control of CA or Delegated
>    Third Party Trusted Roles capable of monitoring and logging system activity,
>    and enable those systems to log and continuously monitor the events specified
>    in Section 5.4.1 (3) of the Baseline Requirements for the Issuance and
>    Management of Publicly-Trusted Certificates;
>
> *
>
> *? MOTION ENDS ?*

More information about the Servercert-wg mailing list