[Servercert-wg] Proposal to update logging requirements

Daniel Jeffery djeffery at fastly.com
Wed Jan 3 21:00:54 UTC 2024 

The changes look good and this clearer set of requirements feels like a
worthwhile improvement to us at Certainly. We'd be willing to endorse it in
the current form.

On Wed, 3 Jan 2024 at 03:45, Martijn Katerbarg via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> All,
>
>
>
> I’ve made a few changes based on discussions that were held a few weeks
> ago. This includes adding a new section (5.4.1.1) containing a MUST and
> SHOULD NOT log list.
>
>
>
> The updated proposal can be reviewed at
> https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:LoggingRequirements
>
>
>
> Looking for more feedback on this, or, depending on how much discussion
> there is, for any endorsers.
>
> Regards,
>
> Martijn
>
>
>
> *From: *Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of
> Martijn Katerbarg via Servercert-wg <servercert-wg at cabforum.org>
> *Date: *Friday, 22 September 2023 at 09:36
> *To: *Tobias S. Josefowitz <tobij at opera.com>, CA/B Forum Server
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject: *Re: [Servercert-wg] Proposal to update logging requirements
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> Hi Tobias,
>
>
>
> I can only share our side of the discussion, as done in the first email I
> sent out. However the logging of all OCSP requests was certainly part of
> this. Other than that, the discussion was more in general around what it
> may entail without going into specific points on what should or should not
> be included.
>
>
>
> If CABF members want to bring forward specific items or ideas they believe
> should be covered in here, on top of the proposed changes, then lets have a
> discussion on that and see how detailed we can get!
>
>
>
> As indeed you have brought forward an idea: Yes I think having logins (and
> unsuccessful login attempts) logged, would indeed be useful.
>
>
>
> Are there any other items that you would like to see reflected?
>
> Regards,
>
> Martijn
>
>
>
> *From: *Tobias S. Josefowitz <tobij at opera.com>
> *Date: *Wednesday, 20 September 2023 at 16:52
> *To: *Martijn Katerbarg <martijn.katerbarg at sectigo.com>, CA/B Forum
> Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject: *Re: [Servercert-wg] Proposal to update logging requirements
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
> Hi Martijn,
>
> On Wed, 20 Sep 2023, Martijn Katerbarg wrote:
>
> > The discussion we had was around the amount of log events and details
> > required in accordance with the BRs. This in essence, it boiled down to
> > the interpretation of the word "activities". Yes, routing a packet is a
> > router activity. So, must it be logged? Depending on the interpretation
> > that one may have, it may have to be logged, because it's a router
> > activity, and router activities must be logged, right? In our eyes
> > however, this is not a reasonable interpretation of the requirement.
>
> Thank you! I can certainly agree that, without any context, a hypothetical
> requirement "Record all firewall and router activities." will easily lead
> to nonsensical results depending on the definition/interpretation of
> activities. I can also agree that, even with the context of 5.4.1, it may
> not necesarily be very clear what the interpretation should be.
>
> I was just hoping that getting a brief insight into the point of
> discussion that you had come up might be helpful in delineating more where
> the line should be, and then how to express it in 5.4.1.
>
> The changes in
>
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cea8ee5d9f7204b5ad18b08dbb9e94534%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638308183770731321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YfALPRS%2FmiDqkQAsgon%2BJA18INtaj3HDLFZP5y3um3k%3D&reserved=0
> however look like they are falling a bit short. There are many more types
> of "activities" that I would think should be encompassed by 5.4.1, too
> many to give a list. But to single one out just to illustrate my point, I
> think that logins to the router's/firewall's management interface are a
> kind of "activity" that would be very useful to have covered by 5.4.1.
>
> If you could provide any insight into how differing interpretations are
> clashing in practice, it would help me a lot, and I would really
> appreciate it.
>
> Tobi
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>


-- 


*Daniel Jeffery* | TLS
fastly.com | @fastly <https://twitter.com/fastly> | LinkedIn
<http://www.linkedin.com/company/fastly>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240103/517bd475/attachment.html>

More information about the Servercert-wg mailing list