[Servercert-wg] Discussion Period Begins on Ballot SC51: Reduce and Clarify Audit Log and Records Archival Retention Requirements

Fri Jan 21 20:11:59 UTC 2022


> On Jan 20, 2022, at 8:27 AM, Aaron Gable <aaron at letsencrypt.org> wrote:
> 
> On Thu, Jan 20, 2022 at 7:39 AM Clint Wilson <clintw at apple.com <mailto:clintw at apple.com>> wrote:
> 
> I believe this to be a correct reading of the requirement. I think the primary reason there are 2 sections covering all this is simply that RFC3647 defines these as two separate sections with related, but separate, activities involved (“5.4 Audit Logging Procedures” and “5.5 Records Archival”). 
> 
> This makes some sense, and I believe that the RFC3647 distinction between audit logging and records archival can certainly be a valuable one. But in my mind all of that value comes from the difference in how these two things are protected, backed up, and accessed (e.g. presumably audit logs should be easily accessible so that they can be "processed"; while records archives should be more securely backed up and protected so that auditing can still occur in case of disaster). Since this ballot still leaves those subsections empty (i.e. no stipulation) it is not clear to me that repeating nearly-identical "types of records" and "period of retention" sections has value.
>> 
>> Additionally, I find the phrasing of Section 5.5.1 to be unfortunate: it contains two sentences, both of which start "The CA and each Delegated Third Party SHALL archive records related to...". These should be combined into a single bulleted list, much as Section 5.5.2 does.
> This was done in part to create direct comparability between 5.5.1 and 5.4.3, however if there’s little to no perceived value in that structure, the section could be combined, I think. I had made some prior attempts at this, which didn’t result in very readable text primarily due to the addition of documentation as input to the archive on top of the event records coming from audit logs. However, maybe something like this could work?
> 
> ### 5.5.1 Types of records archived
> 
> The CA and each Delegated Third Party SHALL archive records relating to:
> 
> 1. CA certificate and key lifecycle management event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (1));
> 2. Subscriber Certificate lifecycle management event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (2));
> 3. Security event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (3));
> 4. The security of their Certificate Systems, Certificate Management Systems, Root CA Systems, and Delegated Third Party Systems; and
> 5. Event records and documentation related to their verification, issuance, and revocation of certificate requests and Certificates
> 
> Yep, this is exactly what I was thinking of when I sent my last email, but now I have a proposal I like even better. I think it would make the most sense to say something like:
> 
> """
> ### 5.5.1: Types of records archived
> 
> The CA and each Delegated Party SHALL archive all audit logs.
> 
> Additionally, they SHALL archive:
> 1. Documentation related to the security of their Certificate Systems, Certificate Management Systems, Root CA Systems, and Delegated Third Party Systems; and
> 2. Documentation related to their verification, issuance, and revocation of certificate requests and Certificates.
> (ed note: the phrase "event records" has been removed from the second bullet, as that is covered by the "audit logs" in the first sentence.)
> 
> ### 5.5.2: Retention period for archive
> 
> Audit logs must be archived for a period of at least two (2) years from their record creation timestamp, or as long as they are required to be retained per Section 5.4.3, whichever is longer.
> 
> Additionally, the CA and each delegated party SHALL retain, for at least two (2) years:
> 1. All archived documentation related to the security of Certificate Systems, Certificate Management Systems, Root CA Systems and Delegated Third Party Systems (as set forth in [Section 5.5.1](#551-types-of-records-archived)); and
> 2. All archived documentation relating to the verification, issuance, and revocation of certificate requests and Certificates (as set forth in [Section 5.5.1](#551-types-of-records-archived)) after the later occurrence of:
>    1. such records and documentation were last relied upon in the verification, issuance, or revocation of certificate requests and Certificates; or
>    2. the expiration of the Subscriber Certificates relying upon such records and documentation.
> (ed. note: the first three bullets here have been removed as they are covered by the first sentence, and the phrase "records and" has been removed from the two remaining bullet points for the same reason)
> """
> 
> Basically, this structure makes it clear that the records archival requirements are of the form "archive audit logs and this additional non-event documentation". I personally find this approach to be much clearer than the current repetitive phrasing.
> 
> What do you think?
I like it. I might add “audit logs, as defined in section 5.4….” or something along those lines, but otherwise I think this conveys the same information and if the group generally feels that it does so in a clearer manner, then I’m all for it. If there is support and there are no objections, I’ll plan on incorporating this language in the branch.
> 
> Aaron

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220121/07f7ce06/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3621 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220121/07f7ce06/attachment-0001.p7s>