[Servercert-wg] [Discussion Period Begins]: SC-69 Clarify router and firewall logging requirements
Aaron Gable
aaron at letsencrypt.org
Sat Feb 3 01:31:13 UTC 2024
On Fri, Feb 2, 2024, 16:13 Clint Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Hi Martijn,
>
> Thanks for sending this out for discussion. Just a few comments at this
> point:
>
>
> 1. I’m not sure the wording "Router and firewall activities" is
> considered an unspecified term, and leaves the exact definition and scope
> up to the CA, however” is necessary or even really helpful. I think it
> would be clearer to introduce Section 5.4.1.1 with something like “Logging
> of router and firewall activities necessary to meet the requirements of
> Section 5.4.1, Subsection 3.6 MUST at a minimum include:”
> - I’m not sold on the “Subsection” part, but I don’t recall if we
> have good semantics established for referencing the numbered
> paragraphs/sections under a Section heading.
>
>
I believe the most widely-used nomenclature would be "Paragraph".
>
> 1. I think the entire section including and under "Logging of router
> and firewall activities SHOULD NOT include:” should be removed.
> - The first item listed seems overly broad (arguably, imo, even
> covering the “inbound and outbound” connections of the second item) and so
> making it a SHOULD NOT seems too strong a recommendation.
> - The second item seems counterintuitive and difficult to implement
> correctly+consistently. It could be read as something like “don’t log
> unless you know you’re being exploited”, which doesn’t sound like a
> recommendation we should be making (especially in the context of
> post-incident data analysis).
> - Neither of these recommendations seems necessary to accomplish
> the goals of additional clarity and specificity of what MUST be logged.
> 2. The concluding sentence "CAs are encouraged to recommend additional
> MUST and SHOULD NOT requirements through an email to
> questions at cabforum.org, for future discussion within the appropriate
> Working Group.” stands out as I think it’s the only such “encouragement” in
> the BRs. I don’t think that makes it bad or that it should be removed, but
> I’m also not sure how valuable it is to the BRs as a policy. I admit that
> may be because I view this encouragement as fundamental to membership and
> participation in the CA/B Forum at all — every member, regardless of type,
> should feel welcome and encouraged to recommend changes to any of the CA/B
> Forum documents. But we don’t say that anywhere, so maybe this is a good
> start?
>
>
> Cheers!
> -Clint
>
> On Jan 29, 2024, at 10:30 AM, Martijn Katerbarg via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
> *Summary: *
>
> This ballot aims to clarify what data needs to be logged as part of the
> "Firewall and router activities" logging requirement in the Baseline
> Requirements.
>
> This ballot is proposed by Martijn Katerbarg (Sectigo) and endorsed by
> Daniel Jeffery (Fastly) and Ben Wilson (Mozilla).
>
> --- Motion Begins ---
>
> This ballot modifies the “Baseline Requirements for the Issuance and
> Management of Publicly-Trusted Certificates" ("Baseline Reuqirements"),
> based on Version 2.0.2.
>
> MODIFY the Baseline Requirements as specified in the following Redline:
> https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...807675c91c8500157b0ffd58ab3a40b0b17075e5
>
> --- Motion Ends ---
>
> This ballot proposes a Final Maintenance Guideline. The procedure for
> approval of this ballot is as follows:
>
> Discussion (at least 7 days)
>
> 1. Start time: 2024-01-29 18:30:00 UTC
> 2. End time: not before 2024-02-05 18:30:00 UTC
>
> Vote for approval (7 days)
>
> 1. Start time: TBD
> 2. End time: TBD
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240202/39e12b59/attachment-0001.html>
More information about the Servercert-wg
mailing list