Hi Tobias, The discussion we had was around the amount of log events and details required in accordance with the BRs. This in essence, it boiled down to the interpretation of the word "activities". Yes, routing a packet is a router activity. So, must it be logged?
Depending on the interpretation that one may have, it may have to be logged, because it's a router activity, and router activities must be logged, right? In our eyes however, this is not a reasonable interpretation of the requirement. However without more precise language in place, this option remains available. As mentioned in the original email as well, what's the point in logging every OCSP GET and POST request, especially in a world where several Root Store operators want to reduce the use of OCSP due to privacy concerns (see SC63). Yet at the same time, we're required to keep logs for this at least 2 years. OCSP here is just a single example, the same could be said for CRLs or AIA URLs. Regards, Martijn From: Tobias S. Josefowitz <[email protected]> Date: Thursday, 14 September 2023 at 16:57 To: Martijn Katerbarg <[email protected]>, CA/B Forum Server Certificate WG Public Discussion List <[email protected]> Subject: Re: [Servercert-wg] Proposal to update logging requirements CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Martijn, On Wed, 13 Sep 2023, Martijn Katerbarg via Servercert-wg wrote: > During our last WebTrust audit cycle it became clear that our > interpretation of "Firewall and router activities" and CPA Canada's > interpretation were meaningfully different. In particular it came to > light that in its most aggressive possible interpretation, the actual > logging of a firewall activity would itself constitute a firewall > activity, which would itself require logging, as would the log of the > log entry of that log entry, the log of this newest log entry, and > etcetera into infinity. In our opinion, too much "valid traffic" > logging, makes it harder to find "bad traffic". That does sound intriguing. Would it be possible for you to go into a little more detail about what the actual point of contention was? I am assuming it was not actually the infinite layers of log events, but either way I would appreciate if you could share a bit more details. Tobi
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
