[Servercert-wg] Proposal to update logging requirements

Martijn Katerbarg martijn.katerbarg at sectigo.com
Thu Jan 4 17:04:53 UTC 2024


Thank you Jeffery. 

Still looking for an additional endorser and/or comments.

Regards,

Martijn 

From: Daniel Jeffery <djeffery at fastly.com>
Date: Wednesday, 3 January 2024 at 22:01
To: Martijn Katerbarg <martijn.katerbarg at sectigo.com>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Cc: Tobias S. Josefowitz <tobij at opera.com>
Subject: Re: [Servercert-wg] Proposal to update logging requirements 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 


The changes look good and this clearer set of requirements feels like a worthwhile improvement to us at Certainly. We'd be willing to endorse it in the current form. 


On Wed, 3 Jan 2024 at 03:45, Martijn Katerbarg via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>> wrote: 

All, 

I’ve made a few changes based on discussions that were held a few weeks ago. This includes adding a new section (5.4.1.1) containing a MUST and SHOULD NOT log list. 

The updated proposal can be reviewed at https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:LoggingRequirements <_blank> 

Looking for more feedback on this, or, depending on how much discussion there is, for any endorsers. 

Regards,

Martijn 

From: Servercert-wg <servercert-wg-bounces at cabforum.org <_blank>> on behalf of Martijn Katerbarg via Servercert-wg <servercert-wg at cabforum.org <_blank>>
Date: Friday, 22 September 2023 at 09:36
To: Tobias S. Josefowitz <tobij at opera.com <_blank>>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <_blank>>
Subject: Re: [Servercert-wg] Proposal to update logging requirements 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 


Hi Tobias, 

I can only share our side of the discussion, as done in the first email I sent out. However the logging of all OCSP requests was certainly part of this. Other than that, the discussion was more in general around what it may entail without going into specific points on what should or should not be included. 

If CABF members want to bring forward specific items or ideas they believe should be covered in here, on top of the proposed changes, then lets have a discussion on that and see how detailed we can get! 

As indeed you have brought forward an idea: Yes I think having logins (and unsuccessful login attempts) logged, would indeed be useful. 

Are there any other items that you would like to see reflected?

Regards,

Martijn 

From: Tobias S. Josefowitz <tobij at opera.com <_blank>>
Date: Wednesday, 20 September 2023 at 16:52
To: Martijn Katerbarg <martijn.katerbarg at sectigo.com <_blank>>, CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org <_blank>>
Subject: Re: [Servercert-wg] Proposal to update logging requirements 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


Hi Martijn,

On Wed, 20 Sep 2023, Martijn Katerbarg wrote:

> The discussion we had was around the amount of log events and details
> required in accordance with the BRs. This in essence, it boiled down to
> the interpretation of the word "activities". Yes, routing a packet is a
> router activity. So, must it be logged? Depending on the interpretation
> that one may have, it may have to be logged, because it's a router
> activity, and router activities must be logged, right? In our eyes
> however, this is not a reasonable interpretation of the requirement.

Thank you! I can certainly agree that, without any context, a hypothetical
requirement "Record all firewall and router activities." will easily lead
to nonsensical results depending on the definition/interpretation of
activities. I can also agree that, even with the context of 5.4.1, it may
not necesarily be very clear what the interpretation should be.

I was just hoping that getting a brief insight into the point of
discussion that you had come up might be helpful in delineating more where
the line should be, and then how to express it in 5.4.1.

The changes in
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cea8ee5d9f7204b5ad18b08dbb9e94534%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638308183770731321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YfALPRS%2FmiDqkQAsgon%2BJA18INtaj3HDLFZP5y3um3k%3D&reserved=0 <_blank>
however look like they are falling a bit short. There are many more types
of "activities" that I would think should be encompassed by 5.4.1, too
many to give a list. But to single one out just to illustrate my point, I
think that logins to the router's/firewall's management interface are a
kind of "activity" that would be very useful to have covered by 5.4.1.

If you could provide any insight into how differing interpretations are
clashing in practice, it would help me a lot, and I would really
appreciate it.

Tobi 








_______________________________________________
Servercert-wg mailing list
Servercert-wg at cabforum.org <_blank>
https://lists.cabforum.org/mailman/listinfo/servercert-wg <_blank> 






-- 

Daniel Jeffery | TLS 

fastly.com <_blank> | @fastly <_blank> | LinkedIn <_blank> 









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240104/d14987c2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240104/d14987c2/attachment-0001.bin>


More information about the Servercert-wg mailing list