Home » Proceedings » Ballots » Ballot CSC-11 – Update to log data retention requirements

Ballot CSC-11 – Update to log data retention requirements

Notice of Review Period

(Mailing list post is available here.)

This Review Notice is sent pursuant to Section 4.1 of the CA/Browser Forum’s Intellectual Property Rights Policy (v1.2).  This Review Period is for Final Maintenance Guidelines (30 day Review Period).  A complete draft of the Draft Guideline that is the subject of this Review Notice is available here.

Date Review Notice Sent:            October 4, 2021

Ballot for Review:                         Ballot CSC- 11: Update to log data retention requirements

Start of Review Period:                October 4, 2021 at 13:30 UTC

End of Review Period:                 November 3, 2021 at 13:30 UTC

Please forward any Exclusion Notice relating to Essential Claims to the Chair by email before the end of the Review Period.  See current version of CA/Browser Forum Intellectual Property Rights Policy for details.

Results of Voting

(Mailing list post is available here.)

YesNoAbstain
Certificate IssuersCertum (Asseco)
DigiCert
eMudhra
Entrust
GlobalSign
HARICA
Sectigo
SecureTrust
Certificate ConsumersMicrosoft
The ballot has PASSED.

Purpose of the Ballot

Update the log data and retention of log data requirements in the Baseline Requirement for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.5. The following motion has been proposed by Ian McMillan of Microsoft, and endorsed by Dimitris Zacharopoulos (HARICA) and Bruce Morton (Entrust).

Motion

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 2.5 according to the attached redline which includes:

  • Update section 15 “Data Records” removing references to [SSL/TLS] Baseline Requirements for this section in totality
  • Update section 15 “Data Records” to include sub-section 15.1 “Types of Events Recorded” and describing the requirements for CAs and Third Party Delegates while removing “Signing Services”
  • Update section 15 “Data Records” to include sub-section 15.2 “Timestamp Authority Data Records”
  • Update section 15.1 to clarify 4(f) for security event logging on Timestamp Authority servers
  • Update section 15.1 on 4(d) for security event logging to no longer include “hardware failures”
  • Update section 15 “Data Records” to include sub-section 15.3 “Data Retention Period for Audit Logs”
  • Update section 15.2 to no longer reference Baseline Requirements section 5.4.3 and defined a specific retention period for CA, subscriber certificate, Timestamp Authority, and security event data records for at least 2 years