[Servercert-wg] Discussion Period Begins on Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements

[Ryan Sleevi]

On Fri, Jan 21, 2022 at 2:57 PM Clint Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> I agree that the authors of RFC 3647 intended for more detail to be
> included in a CPS around each of these sections than is currently in the
> BRs or added via the proposed changes in this ballot, however I don’t
> believe that RFC 3647 intends for 5.4 and 5.5 to represent two entirely
> different sets of “evidence”. For example, in section 4.5.4 (“Audit Logging
> Procedures”) it indicates that coverage should include “Frequency with
> which audit logs are processed or archived”. Similarly, in 4.5.5 (“Records
> Archival”) the RFC indicates that coverage should include “Types of records
> that are archived, for example all audit data….”. These references to
> archive and audits lead me to the interpretation that the authors of RFC
> 3647 intended for the records archival process to be an overarching
> collection and retention of audit data (i.e. everything logged in section
> 5.4) along with other data which may not be processed by event logging or
> audit systems (such as documentation supporting certificate applications).
> That is, as a Venn diagram, this is one circle inside another. This ballot
> attempts to clearly outline the end result of this relationship by
> delineating (and repeating, where relevant) the categories of data
> accounted for in both sections 5.4 and 5.5. Given Aaron’s feedback, I
> definitely think there’s room for improving *how* we outline that end
> result, however.
>

For what it's worth, that does match how I've understood these sections:
that audit data is a subset of the artifacts/records produced. Audit data
tends to be systemic or automated, while records include things like, say,
the photocopy of the ID that was verified during the in-person vetting.
These are complementary, one is a subset of the other, and the differences
between what can be automatically processed vs manually processed
necessitates some degree of different expectations - where those
automatically processed can, of course, more easily comply with any of the
requirements for the manually processed data.

Conceptually, this is similar to validation data within Section 3.2
(including the manual data), and the specific domain/ip validation of
3.2.2.4/.5, which has limits on both delegation and how long certain types
of data can be used, different from the overall 3.2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220121/2c37d0d7/attachment.html>