[netsec] NS-009 Ballot: Log Storage System in CA Infrastructure Concern

17 views

Skip to first unread message

Qais Al Hajri

unread,

May 14, 2026, 2:35:54 PM (6 days ago) May 14

to 'Ben Wilson' via NetSec WG - Public (CA/B Forum)

Hello,

I tried adding a comment in the NS-009 PR but couldn't: (NS-009: Permit Log Storage Systems to be operated in Third Party-Controlled Environments by CBonnell · Pull Request #59 · cabforum/netsec)

I'm still concerned about adding the Log Storage System as it is written under "CA Infrastructure". I've touched on this last meeting and went through and reviewed the changes again.

I don't believe this was the intent, but as it is written, I worry this will mean that the CA will need to implement controls/processes and capture audit evidence from Third-Party Controlled Environment owners on the Log Storage System since this will be in a shared responsibility model to meet:

NSR 1.3 - "The CA MUST establish and maintain a change management process which is minimally: ... authoritative for: ... 3. management of CA Infrastructure;"

[Q] Does this mean the CA must capture and audit the third party-controlled environments change management process and their adherence to it?

NSR 2.2.1.2 - "If group accounts or shared role credentials are used, the CA MUST be able to attribute each use to: 1. an approved activity; and 2. an individual user or service account."

[Q] Does this mean the CA should validate that the Third Party Controlled Environment does not use shared credentials/group accounts, and if they do, they must provide audit evidence for this

NSR 2.2.1.4 - "The CA MUST ensure access to CA Infrastructure and Network Boundary Controls is disabled for personnel within twenty-four (24) hours of the termination of an individual's employment or contracting relationship."

[Q] Does this mean the CA must gather evidence that the third party-controlled environments owners physically and logically offboard within 24 hours?

The list can keep going wherever "CA Infrastructure" is mentioned in the NSR requirements, but I hope my point is clear.

Is there a way we can either:

update the definition of the "CA Infrastructure" where it references "Log Storage System" to specifically say that the portion owned by the CA in the Shared Responsibility Model is in scope, or
Keep Log Storage System out of "CA Infrastructure" definition?

Thanks,

Qais Al Hajri

Reply all

Reply to author

Forward

0 new messages