Ballot SC051: Reduce and Clarify Audit Log and Records Archival Retention Requirements

Ballot overview

• Ballot SC051 is titled Reduce and Clarify Audit Log and Records Archival Retention Requirements.
• It was proposed as a Final Maintenance Guideline.
• The stated purpose was to consolidate and clarify audit log and records archival retention expectations and time-periods in section 5.5.2.
• The ballot also aimed to reduce records archival retention to 2 years, clarify audit log retention, require archival of lifecycle event records, replace OCSP Entries with OCSP Responses, and explicitly apply retention expectations to delegated third parties.

Voting and approval

• Certificate Issuers: 21 yes votes, 0 no votes, 0 abstentions.
• Certificate Consumers: 5 yes votes, 0 no votes, 0 abstentions.
• The bylaw voting requirements were MET for both Certificate Issuers and Certificate Consumers.
• Quorum was MET.
• No IP Rights issues were raised during the review period, which concluded 15 April 2022.
• The ballot was incorporated into version 1.8.3 of the Baseline Requirements.

Main requirements introduced or changed

• CAs and each Delegated Third Party must record events related to the security of their Certificate Systems, Certificate Management Systems, Root CA Systems, and Delegated Third Party Systems.
• CAs and each Delegated Third Party must record events related to processing certificate requests and issuing certificates, including information generated, documentation received, time and date, and personnel involved.
• The list of required recorded events includes certificate requests, renewals, re-key requests, revocation, approval and rejection of requests, cryptographic device lifecycle management events, generation of Certificate Revocation Lists, signing of OCSP Responses, and introduction or retirement of Certificate Profiles.
• Log records must include the date and time of event, identity of the person making the journal record, and description of the event.
• CAs and each Delegated Third Party must retain audit logs for at least 2 years.
• Subscriber Certificate lifecycle management event records are retained after expiration of the Subscriber Certificate.
• CAs and each Delegated Party must archive all audit logs.
• CAs and each Delegated Party must archive documentation related to the security of their systems and documentation related to verification, issuance, and revocation of certificate requests and certificates.
• Archived audit logs must be retained for at least 2 years from record creation timestamp, or as long as required under the audit-log retention rule, whichever is longer.
• Archived documentation related to verification, issuance, and revocation must be retained for at least 2 years after the later of last reliance on the records or expiration of the Subscriber Certificates relying on them.

Scope and clarifications

• The ballot clarifies that audit log retention and records archival expectations apply to delegated third parties.
• It clarifies that OCSP Entries should be treated as OCSP Responses.
• It formalizes incorporation of terms defined in the NCSSRs as also applying to the BRs.