Ballot SC028: Logging and Log Retention
Server Certificate Working Group
Key dates
- Effective date
- 10 Sep 2020 5 years ago
- Voting opened
- 03 Sep 2020 5 years ago
- Voting closed
- 10 Sep 2020 5 years ago
- Discussion opened
- 10 Jul 2020 5 years ago
- Discussion closed
- 28 Aug 2020 5 years ago
AI Summary
Ballot overview
- Ballot SC028: Logging and Log Retention was presented as a change to the Baseline Requirements and the Network and Certificate Systems Security Requirements.
- The ballot states that the voting period for Ballot SC28v6 has ended and the ballot has passed.
- Voting results were unanimous among both Certificate Issuers and Certificate Consumers, and the page states that the bylaw requirements for approval and quorum were met.
What the ballot changes
- It replaces the existing Baseline Requirements logging section with a revised Section 5.4.1 that:
- Requires CAs and Delegated Third Parties to record details of certificate request processing and issuance.
- Expands the list of required recorded events for CA certificate and key lifecycle events, subscriber certificate lifecycle events, and security events.
- Adds introduction and retirement of Certificate Profiles to CA certificate and key lifecycle events.
- Adds installation, update, and removal of software on a Certificate System to security events.
- It replaces the existing Baseline Requirements retention section with a revised Section 5.4.3 that reduces retention from seven years to at least two years for specified records.
- It also revises Network and Certificate Systems Security Requirements Section 3.b so that covered systems must log and continuously monitor the events specified in Baseline Requirements Section 5.4.1(3).
Retention and applicability
- CA certificate and key lifecycle management event records must be retained for at least two years after the later of:
- destruction of the CA Private Key, or
- revocation or expiration of the final CA Certificate in the relevant set of Certificates sharing a common Public Key.
- Subscriber Certificate lifecycle management event records must be retained for at least two years after revocation or expiration of the Subscriber Certificate.
- Security event records must be retained for at least two years after the event occurred.
Voting and timing
- Discussion period: 2020-07-10 17:00:00 UTC to 2020-08-28 17:00:00 UTC.
- Vote for approval period: 2020-09-03 17:00:00 UTC to 2020-09-10 17:00:00 UTC.
- The page does not provide an IPR end date.
- Effective date
- 2020-09-10
- Voting opened
- 2020-09-03
- Voting closed
- 2020-09-10
- Discussion opened
- 2020-07-10
- Discussion closed
- 2020-08-28
2020-09-10 — Retain these records for at least two years after the later of destruction of the CA Private Key or revocation/expiration of the final CA Certificate in the relevant set. CA certificate and key lifecycle management event records
2020-09-10 — Retain these records for at least two years after revocation or expiration of the Subscriber Certificate. Subscriber Certificate lifecycle management event records
2020-09-10 — Retain these records for at least two years after the event occurred. Security event records
AI-generated from the CABF ballot page. The official CABF article remains the authoritative source.
Vote result
Proposers
Neil Dunbar of TrustCor Systems and endorsed by Trevoli Ponds-White of Amazon and Dustin Hollenback of Microsoft.
Excerpt
SearchHome » All CA/Browser Forum Posts » Ballot SC028: Logging and Log RetentionBallot SC028: Logging and Log RetentionThe voting period for Ballot SC28v6 has ended and the Ballot has Passed. Here are the results: