[Servercert-wg] Discussion Period Begins on Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements

Aaron Gable aaron at letsencrypt.org
Thu Jan 20 16:27:06 UTC 2022


On Thu, Jan 20, 2022 at 7:39 AM Clint Wilson <clintw at apple.com> wrote:

>
> I believe this to be a correct reading of the requirement. I think the
> primary reason there are 2 sections covering all this is simply that
> RFC3647 defines these as two separate sections with related, but separate,
> activities involved (“5.4 Audit Logging Procedures” and “5.5 Records
> Archival”).
>

This makes some sense, and I believe that the RFC3647 distinction between
audit logging and records archival can certainly be a valuable one. But in
my mind all of that value comes from the difference in how these two things
are protected, backed up, and accessed (e.g. presumably audit logs should
be easily accessible so that they can be "processed"; while records
archives should be more securely backed up and protected so that auditing
can still occur in case of disaster). Since this ballot still leaves those
subsections empty (i.e. no stipulation) it is not clear to me that
repeating nearly-identical "types of records" and "period of retention"
sections has value.

>
> Additionally, I find the phrasing of Section 5.5.1 to be unfortunate: it
> contains two sentences, both of which start "The CA and each Delegated
> Third Party SHALL archive records related to...". These should be combined
> into a single bulleted list, much as Section 5.5.2 does.
>
> This was done in part to create direct comparability between 5.5.1 and
> 5.4.3, however if there’s little to no perceived value in that structure,
> the section could be combined, I think. I had made some prior attempts at
> this, which didn’t result in very readable text primarily due to the
> addition of documentation as input to the archive on top of the event
> records coming from audit logs. However, maybe something like this could
> work?
>
> ### 5.5.1 Types of records archived
>
> The CA and each Delegated Third Party SHALL archive records relating to:
>
> 1. CA certificate and key lifecycle management event records (as set forth
> in [Section 5.4.1](#541-types-of-events-recorded) (1));
> 2. Subscriber Certificate lifecycle management event records (as set forth
> in [Section 5.4.1](#541-types-of-events-recorded) (2));
> 3. Security event records (as set forth in [Section
> 5.4.1](#541-types-of-events-recorded) (3));
> 4. The security of their Certificate Systems, Certificate Management
> Systems, Root CA Systems, and Delegated Third Party Systems; and
> 5. Event records and documentation related to their verification,
> issuance, and revocation of certificate requests and Certificates
>
>
Yep, this is exactly what I was thinking of when I sent my last email, but
now I have a proposal I like even better. I think it would make the most
sense to say something like:

"""
### 5.5.1: Types of records archived

The CA and each Delegated Party SHALL archive all audit logs.

Additionally, they SHALL archive:
1. Documentation related to the security of their Certificate Systems,
Certificate Management Systems, Root CA Systems, and Delegated Third Party
Systems; and
2. Documentation related to their verification, issuance, and revocation of
certificate requests and Certificates.
*(ed note: the phrase "event records" has been removed from the second
bullet, as that is covered by the "audit logs" in the first sentence.)*

### 5.5.2: Retention period for archive

Audit logs must be archived for a period of at least two (2) years from
their record creation timestamp, or as long as they are required to be
retained per Section 5.4.3, whichever is longer.

Additionally, the CA and each delegated party SHALL retain, for at least
two (2) years:
1. All archived documentation related to the security of Certificate
Systems, Certificate Management Systems, Root CA Systems and Delegated
Third Party Systems (as set forth in [Section
5.5.1](#551-types-of-records-archived)); and
2. All archived documentation relating to the verification, issuance, and
revocation of certificate requests and Certificates (as set forth in
[Section 5.5.1](#551-types-of-records-archived)) after the later occurrence
of:
   1. such records and documentation were last relied upon in the
verification, issuance, or revocation of certificate requests and
Certificates; or
   2. the expiration of the Subscriber Certificates relying upon such
records and documentation.
*(ed. note: the first three bullets here have been removed as they are
covered by the first sentence, and the phrase "records and" has been
removed from the two remaining bullet points for the same reason)*
"""

Basically, this structure makes it clear that the records archival
requirements are of the form "archive audit logs *and* this additional
non-event documentation". I personally find this approach to be much
clearer than the current repetitive phrasing.

What do you think?

Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220120/8601f5a6/attachment.html>


More information about the Servercert-wg mailing list