On Fri, Feb 2, 2024, 16:13 Clint Wilson via Servercert-wg < [email protected]> wrote:
> Hi Martijn, > > Thanks for sending this out for discussion. Just a few comments at this > point: > > > 1. I’m not sure the wording "Router and firewall activities" is > considered an unspecified term, and leaves the exact definition and scope > up to the CA, however” is necessary or even really helpful. I think it > would be clearer to introduce Section 5.4.1.1 with something like “Logging > of router and firewall activities necessary to meet the requirements of > Section 5.4.1, Subsection 3.6 MUST at a minimum include:” > - I’m not sold on the “Subsection” part, but I don’t recall if we > have good semantics established for referencing the numbered > paragraphs/sections under a Section heading. > > I believe the most widely-used nomenclature would be "Paragraph". > > 1. I think the entire section including and under "Logging of router > and firewall activities SHOULD NOT include:” should be removed. > - The first item listed seems overly broad (arguably, imo, even > covering the “inbound and outbound” connections of the second item) and > so > making it a SHOULD NOT seems too strong a recommendation. > - The second item seems counterintuitive and difficult to implement > correctly+consistently. It could be read as something like “don’t log > unless you know you’re being exploited”, which doesn’t sound like a > recommendation we should be making (especially in the context of > post-incident data analysis). > - Neither of these recommendations seems necessary to accomplish > the goals of additional clarity and specificity of what MUST be logged. > 2. The concluding sentence "CAs are encouraged to recommend additional > MUST and SHOULD NOT requirements through an email to > [email protected], for future discussion within the appropriate > Working Group.” stands out as I think it’s the only such “encouragement” in > the BRs. I don’t think that makes it bad or that it should be removed, but > I’m also not sure how valuable it is to the BRs as a policy. I admit that > may be because I view this encouragement as fundamental to membership and > participation in the CA/B Forum at all — every member, regardless of type, > should feel welcome and encouraged to recommend changes to any of the CA/B > Forum documents. But we don’t say that anywhere, so maybe this is a good > start? > > > Cheers! > -Clint > > On Jan 29, 2024, at 10:30 AM, Martijn Katerbarg via Servercert-wg < > [email protected]> wrote: > > *Summary: * > > This ballot aims to clarify what data needs to be logged as part of the > "Firewall and router activities" logging requirement in the Baseline > Requirements. > > This ballot is proposed by Martijn Katerbarg (Sectigo) and endorsed by > Daniel Jeffery (Fastly) and Ben Wilson (Mozilla). > > --- Motion Begins --- > > This ballot modifies the “Baseline Requirements for the Issuance and > Management of Publicly-Trusted Certificates" ("Baseline Reuqirements"), > based on Version 2.0.2. > > MODIFY the Baseline Requirements as specified in the following Redline: > https://github.com/cabforum/servercert/compare/41f01640748fa612386f8b1a3031cd1bff3d4f35...807675c91c8500157b0ffd58ab3a40b0b17075e5 > > --- Motion Ends --- > > This ballot proposes a Final Maintenance Guideline. The procedure for > approval of this ballot is as follows: > > Discussion (at least 7 days) > > 1. Start time: 2024-01-29 18:30:00 UTC > 2. End time: not before 2024-02-05 18:30:00 UTC > > Vote for approval (7 days) > > 1. Start time: TBD > 2. End time: TBD > > > _______________________________________________ > Servercert-wg mailing list > [email protected] > https://lists.cabforum.org/mailman/listinfo/servercert-wg > > > _______________________________________________ > Servercert-wg mailing list > [email protected] > https://lists.cabforum.org/mailman/listinfo/servercert-wg >
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
