All, I’ve made a few changes based on discussions that were held a few weeks ago. This includes adding a new section (5.4.1.1) containing a MUST and SHOULD NOT log list.
The updated proposal can be reviewed at https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:LoggingRequirements <https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:LoggingRequirements> Looking for more feedback on this, or, depending on how much discussion there is, for any endorsers. Regards, Martijn From: Servercert-wg <[email protected]> on behalf of Martijn Katerbarg via Servercert-wg <[email protected]> Date: Friday, 22 September 2023 at 09:36 To: Tobias S. Josefowitz <[email protected]>, CA/B Forum Server Certificate WG Public Discussion List <[email protected]> Subject: Re: [Servercert-wg] Proposal to update logging requirements CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Tobias, I can only share our side of the discussion, as done in the first email I sent out. However the logging of all OCSP requests was certainly part of this. Other than that, the discussion was more in general around what it may entail without going into specific points on what should or should not be included. If CABF members want to bring forward specific items or ideas they believe should be covered in here, on top of the proposed changes, then lets have a discussion on that and see how detailed we can get! As indeed you have brought forward an idea: Yes I think having logins (and unsuccessful login attempts) logged, would indeed be useful. Are there any other items that you would like to see reflected? Regards, Martijn From: Tobias S. Josefowitz <[email protected]> Date: Wednesday, 20 September 2023 at 16:52 To: Martijn Katerbarg <[email protected]>, CA/B Forum Server Certificate WG Public Discussion List <[email protected]> Subject: Re: [Servercert-wg] Proposal to update logging requirements CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Martijn, On Wed, 20 Sep 2023, Martijn Katerbarg wrote: > The discussion we had was around the amount of log events and details > required in accordance with the BRs. This in essence, it boiled down to > the interpretation of the word "activities". Yes, routing a packet is a > router activity. So, must it be logged? Depending on the interpretation > that one may have, it may have to be logged, because it's a router > activity, and router activities must be logged, right? In our eyes > however, this is not a reasonable interpretation of the requirement. Thank you! I can certainly agree that, without any context, a hypothetical requirement "Record all firewall and router activities." will easily lead to nonsensical results depending on the definition/interpretation of activities. I can also agree that, even with the context of 5.4.1, it may not necesarily be very clear what the interpretation should be. I was just hoping that getting a brief insight into the point of discussion that you had come up might be helpful in delineating more where the line should be, and then how to express it in 5.4.1. The changes in https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cea8ee5d9f7204b5ad18b08dbb9e94534%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638308183770731321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YfALPRS%2FmiDqkQAsgon%2BJA18INtaj3HDLFZP5y3um3k%3D&reserved=0 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cea8ee5d9f7204b5ad18b08dbb9e94534%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638308183770731321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YfALPRS%2FmiDqkQAsgon%2BJA18INtaj3HDLFZP5y3um3k%3D&reserved=0> however look like they are falling a bit short. There are many more types of "activities" that I would think should be encompassed by 5.4.1, too many to give a list. But to single one out just to illustrate my point, I think that logins to the router's/firewall's management interface are a kind of "activity" that would be very useful to have covered by 5.4.1. If you could provide any insight into how differing interpretations are clashing in practice, it would help me a lot, and I would really appreciate it. Tobi
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
