[Servercert-wg] Proposal to update logging requirements

Martijn Katerbarg martijn.katerbarg at sectigo.com
Wed Sep 20 09:00:46 UTC 2023 

Hi Tobias, 

The discussion we had was around the amount of log events and details required in accordance with the BRs. This in essence, it boiled down to the interpretation of the word "activities". Yes, routing a packet is a router activity. So, must it be logged? 

Depending on the interpretation that one may have, it may have to be logged, because it's a router activity, and router activities must be logged, right? 

In our eyes however, this is not a reasonable interpretation of the requirement. However without more precise language in place, this option remains available. 

As mentioned in the original email as well, what's the point in logging every OCSP GET and POST request, especially in a world where several Root Store operators want to reduce the use of OCSP due to privacy concerns (see SC63). Yet at the same time, we're required to keep logs for this at least 2 years. 

OCSP here is just a single example, the same could be said for CRLs or AIA URLs. 

Regards,

Martijn 


From: Tobias S. Josefowitz <tobij at opera.com>
Date: Thursday, 14 September 2023 at 16:57
To: Martijn Katerbarg <martijn.katerbarg at sectigo.com>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Proposal to update logging requirements 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Hi Martijn,

On Wed, 13 Sep 2023, Martijn Katerbarg via Servercert-wg wrote:

> During our last WebTrust audit cycle it became clear that our
> interpretation of "Firewall and router activities" and CPA Canada's
> interpretation were meaningfully different. In particular it came to
> light that in its most aggressive possible interpretation, the actual
> logging of a firewall activity would itself constitute a firewall
> activity, which would itself require logging, as would the log of the
> log entry of that log entry, the log of this newest log entry, and
> etcetera into infinity. In our opinion, too much "valid traffic"
> logging, makes it harder to find "bad traffic".

That does sound intriguing. Would it be possible for you to go into a
little more detail about what the actual point of contention was? I am
assuming it was not actually the infinite layers of log events, but either
way I would appreciate if you could share a bit more details.

Tobi 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230920/f0334c5a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230920/f0334c5a/attachment.bin>

More information about the Servercert-wg mailing list