From 510bf5dc89cd0b04c0c712f9cb1c8cc666fa2588 Mon Sep 17 00:00:00 2001 From: Martijn Katerbarg Date: Wed, 13 Mar 2024 18:05:05 +0100 Subject: [PATCH 1/2] Ballot SC-69: Clarify router and firewall logging requirements (#477) * Remove monitoring requirement for unused serial numbers * Change Firewall logging requirements * Typo correction * Add separate lists for do and don't for logging * Add additional controls * Typo corrections * Quote first usage * Incorporating feedback * Remove incorrect quote --- docs/BR.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index c85365b1..1803b29e 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1356,8 +1356,6 @@ For the status of Subordinate CA Certificates: If the OCSP responder receives a request for the status of a certificate serial number that is "unused", then the responder SHOULD NOT respond with a "good" status. If the OCSP responder is for a CA that is not Technically Constrained in line with [Section 7.1.2.3](#7123-technically-constrained-non-tls-subordinate-ca-certificate-profile) or [Section 7.1.2.5](#7125-technically-constrained-tls-subordinate-ca-certificate-profile), the responder MUST NOT respond with a "good" status for such requests. -The CA SHOULD monitor the OCSP responder for requests for "unused" serial numbers as part of its security response procedures. - The OCSP responder MAY provide definitive responses about "reserved" certificate serial numbers, as if there was a corresponding Certificate that matches the Precertificate [RFC6962]. A certificate serial number within an OCSP request is one of the following three options: @@ -1545,15 +1543,24 @@ The CA SHALL record at least the following events: 3. Security profile changes; 4. Installation, update and removal of software on a Certificate System; 5. System crashes, hardware failures, and other anomalies; - 6. Firewall and router activities; and + 6. Relevant router and firewall activities (as described in [Section 5.4.1.1](#5411-router-and-firewall-activities-logs)); and 7. Entries to and exits from the CA facility. -Log records MUST include the following elements: +Log records MUST include at least the following elements: 1. Date and time of event; -2. Identity of the person making the journal record; and +2. Identity of the person making the journal record (when applicable); and 3. Description of the event. +#### 5.4.1.1 Router and firewall activities logs + +Logging of router and firewall activities necessary to meet the requirements of Section 5.4.1, Subsection 3.6 MUST at a minimum include: + + 1. Successful and unsuccessful login attempts to routers and firewalls; and + 2. Logging of all administrative actions performed on routers and firewalls, including configuration changes, firmware updates, and access control modifications; and + 3. Logging of all changes made to firewall rules, including additions, modifications, and deletions; and + 4. Logging of all system events and errors, including hardware failures, software crashes, and system restarts. + ### 5.4.2 Frequency of processing audit log ### 5.4.3 Retention period for audit log From 1a277398092b560522e330c060b985608086756f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=B1igo=20Barreira?= <92998585+barrini@users.noreply.github.com> Date: Mon, 15 Apr 2024 12:33:45 +0200 Subject: [PATCH 2/2] Update BR as per SC69 publication change.md Changed version and date and added the new ballot at the end of section 1.2.1 --- docs/BR.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/BR.md b/docs/BR.md index 1803b29e..80a149e9 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -1,9 +1,9 @@ --- title: Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates -subtitle: Version 2.0.2 +subtitle: Version 2.0.3 author: - CA/Browser Forum -date: 8-January-2024 +date: 15-April-2024 copyright: | @@ -135,7 +135,7 @@ The following Certificate Policy identifiers are reserved for use by CAs to asse | 2.0.0 | SC62 | Certificate Profiles Update | 22-Apr-2023 | 15-Sep-2023 | | 2.0.1 | SC63 | Make OCSP optional, require CRLs, and incentivize automation | 17-Aug-2023 | 15-Mar-2024 | | 2.0.2 | SC66 | 2023 Cleanup | 23-Nov-2023 | 8-Jan-2024 | - +| 2.0.3 | SC69 | Clarify router and firewall logging requirements | 13-March-2024 | 15-April-2024 | \* Effective Date and Additionally Relevant Compliance Date(s)