Hello,
BCP 162 contains logging recommendations for internet-facing
servers. Quoting the document:
"Discussions about data-retention policies are out of scope for this
document. Server security and transport security are important for
the protection of logs for Internet-facing systems. The operator of
the Internet-facing server must consider the risks, including the
data and services on the server, to determine the appropriate
measures. The protection of logs is critical in incident
investigations. If logs are tampered with, evidence could be
destroyed."
In other words, the BCP makes a recommendation without any discussion
about privacy considerations. The issue is traceability. It has
been the practice to log IP addresses. Keeping the logs for years is
not a good idea as it is difficult to argue that the information is necessary.
I suggest that the BCP be reconsidered given the lack of privacy
considerations.
Regards,
S. Moonesamy
_______________________________________________
ietf-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-privacy
