The changes look good and this clearer set of requirements feels like a worthwhile improvement to us at Certainly. We'd be willing to endorse it in the current form.
On Wed, 3 Jan 2024 at 03:45, Martijn Katerbarg via Servercert-wg < [email protected]> wrote: > All, > > > > I’ve made a few changes based on discussions that were held a few weeks > ago. This includes adding a new section (5.4.1.1) containing a MUST and > SHOULD NOT log list. > > > > The updated proposal can be reviewed at > https://github.com/cabforum/servercert/compare/main...XolphinMartijn:servercert:LoggingRequirements > > > > Looking for more feedback on this, or, depending on how much discussion > there is, for any endorsers. > > Regards, > > Martijn > > > > *From: *Servercert-wg <[email protected]> on behalf of > Martijn Katerbarg via Servercert-wg <[email protected]> > *Date: *Friday, 22 September 2023 at 09:36 > *To: *Tobias S. Josefowitz <[email protected]>, CA/B Forum Server > Certificate WG Public Discussion List <[email protected]> > *Subject: *Re: [Servercert-wg] Proposal to update logging requirements > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > Hi Tobias, > > > > I can only share our side of the discussion, as done in the first email I > sent out. However the logging of all OCSP requests was certainly part of > this. Other than that, the discussion was more in general around what it > may entail without going into specific points on what should or should not > be included. > > > > If CABF members want to bring forward specific items or ideas they believe > should be covered in here, on top of the proposed changes, then lets have a > discussion on that and see how detailed we can get! > > > > As indeed you have brought forward an idea: Yes I think having logins (and > unsuccessful login attempts) logged, would indeed be useful. > > > > Are there any other items that you would like to see reflected? > > Regards, > > Martijn > > > > *From: *Tobias S. Josefowitz <[email protected]> > *Date: *Wednesday, 20 September 2023 at 16:52 > *To: *Martijn Katerbarg <[email protected]>, CA/B Forum > Server Certificate WG Public Discussion List <[email protected]> > *Subject: *Re: [Servercert-wg] Proposal to update logging requirements > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > Hi Martijn, > > On Wed, 20 Sep 2023, Martijn Katerbarg wrote: > > > The discussion we had was around the amount of log events and details > > required in accordance with the BRs. This in essence, it boiled down to > > the interpretation of the word "activities". Yes, routing a packet is a > > router activity. So, must it be logged? Depending on the interpretation > > that one may have, it may have to be logged, because it's a router > > activity, and router activities must be logged, right? In our eyes > > however, this is not a reasonable interpretation of the requirement. > > Thank you! I can certainly agree that, without any context, a hypothetical > requirement "Record all firewall and router activities." will easily lead > to nonsensical results depending on the definition/interpretation of > activities. I can also agree that, even with the context of 5.4.1, it may > not necesarily be very clear what the interpretation should be. > > I was just hoping that getting a brief insight into the point of > discussion that you had come up might be helpful in delineating more where > the line should be, and then how to express it in 5.4.1. > > The changes in > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fservercert%2Fcompare%2Fmain...XolphinMartijn%3Aservercert%3ALoggingRequirements&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cea8ee5d9f7204b5ad18b08dbb9e94534%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638308183770731321%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YfALPRS%2FmiDqkQAsgon%2BJA18INtaj3HDLFZP5y3um3k%3D&reserved=0 > however look like they are falling a bit short. There are many more types > of "activities" that I would think should be encompassed by 5.4.1, too > many to give a list. But to single one out just to illustrate my point, I > think that logins to the router's/firewall's management interface are a > kind of "activity" that would be very useful to have covered by 5.4.1. > > If you could provide any insight into how differing interpretations are > clashing in practice, it would help me a lot, and I would really > appreciate it. > > Tobi > _______________________________________________ > Servercert-wg mailing list > [email protected] > https://lists.cabforum.org/mailman/listinfo/servercert-wg > -- *Daniel Jeffery* | TLS fastly.com | @fastly <https://twitter.com/fastly> | LinkedIn <http://www.linkedin.com/company/fastly>
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
