[Servercert-wg] [Discussion Period Begins]: SC-69 Clarify router and firewall logging requirements

Aaron Gable aaron at letsencrypt.org
Sat Feb 3 01:31:13 UTC 2024 

On Fri, Feb 2, 2024, 16:13 Clint Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Hi Martijn,
>
> Thanks for sending this out for discussion. Just a few comments at this
> point:
>
>
>    1. I’m not sure the wording "Router and firewall activities" is
>    considered an unspecified term, and leaves the exact definition and scope
>    up to the CA, however” is necessary or even really helpful. I think it
>    would be clearer to introduce Section 5.4.1.1 with something like “Logging
>    of router and firewall activities necessary to meet the requirements of
>    Section 5.4.1, Subsection 3.6 MUST at a minimum include:”
>       - I’m not sold on the “Subsection” part, but I don’t recall if we
>       have good semantics established for referencing the numbered
>       paragraphs/sections under a Section heading.
>
>
I believe the most widely-used nomenclature would be "Paragraph".

>
>    1. I think the entire section including and under "Logging of router
>    and firewall activities SHOULD NOT include:” should be removed.
>       - The first item listed seems overly broad (arguably, imo, even
>       covering the “inbound and outbound” connections of the second item) and so
>       making it a SHOULD NOT seems too strong a recommendation.
>       - The second item seems counterintuitive and difficult to implement
>       correctly+consistently. It could be read as something like “don’t log
>       unless you know you’re being exploited”, which doesn’t sound like a
>       recommendation we should be making (especially in the context of
>       post-incident data analysis).
>       - Neither of these recommendations seems necessary to accomplish
>       the goals of additional clarity and specificity of what MUST be logged.
>    2. The concluding sentence "CAs are encouraged to recommend additional
>    MUST and SHOULD NOT requirements through an email to
>    questions at cabforum.org, for future discussion within the appropriate
>    Working Group.” stands out as I think it’s the only such “encouragement” in
>    the BRs. I don’t think that makes it bad or that it should be removed, but
>    I’m also not sure how valuable it is to the BRs as a policy. I admit that
>    may be because I view this encouragement as fundamental to membership and
>    participation in the CA/B Forum at all — every member, regardless of type,
>    should feel welcome and encouraged to recommend changes to any of the CA/B
>    Forum documents. But we don’t say that anywhere, so maybe this is a  good
>    start?
>
>
> Cheers!
> -Clint
>
> On Jan 29, 2024, at 10:30 AM, Martijn Katerbarg via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> *Summary: *
>
> This ballot aims to clarify what data needs to be logged as part of the
> "Firewall and router activities" logging requirement in the Baseline
> Requirements.
>
> This ballot is proposed by Martijn Katerbarg (Sectigo) and endorsed by
> Daniel Jeffery (Fastly) and Ben Wilson (Mozilla).
>
> --- Motion Begins ---
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates" ("Baseline Reuqirements"),
> based on Version 2.0.2.
>
> MODIFY the Baseline Requirements as specified in the following Redline:
> https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...807675c91c8500157b0ffd58ab3a40b0b17075e5
>
> --- Motion Ends ---
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> Discussion (at least 7 days)
>
>    1. Start time: 2024-01-29 18:30:00 UTC
>    2. End time: not before 2024-02-05 18:30:00 UTC
>
> Vote for approval (7 days)
>
>    1. Start time: TBD
>    2. End time: TBD
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240202/39e12b59/attachment-0001.html>

More information about the Servercert-wg mailing list