[Servercert-wg] Proposal to update logging requirements

[Tobias S. Josefowitz]

Hi Martijn,

On Wed, 20 Sep 2023, Martijn Katerbarg wrote:

> The discussion we had was around the amount of log events and details 
> required in accordance with the BRs. This in essence, it boiled down to 
> the interpretation of the word "activities". Yes, routing a packet is a 
> router activity. So, must it be logged? Depending on the interpretation 
> that one may have, it may have to be logged, because it's a router 
> activity, and router activities must be logged, right? In our eyes 
> however, this is not a reasonable interpretation of the requirement.

Thank you! I can certainly agree that, without any context, a hypothetical 
requirement "Record all firewall and router activities." will easily lead 
to nonsensical results depending on the definition/interpretation of 
activities. I can also agree that, even with the context of 5.4.1, it may 
not necesarily be very clear what the interpretation should be.

I was just hoping that getting a brief insight into the point of 
discussion that you had come up might be helpful in delineating more where 
the line should be, and then how to express it in 5.4.1.

The changes in 
https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:LoggingRequirements 
however look like they are falling a bit short. There are many more types 
of "activities" that I would think should be encompassed by 5.4.1, too 
many to give a list. But to single one out just to illustrate my point, I 
think that logins to the router's/firewall's management interface are a 
kind of "activity" that would be very useful to have covered by 5.4.1.

If you could provide any insight into how differing interpretations are 
clashing in practice, it would help me a lot, and I would really 
appreciate it.

Tobi