dzacharo · dzacharo · Jul 1, 2021 · Jul 1, 2021 · Jul 24, 2021 · clintwilson
diff --git a/docs/BR.md b/docs/BR.md
@@ -1,6 +1,6 @@
 ---
 title: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates
-subtitle: Version 1.7.6
+subtitle: Version 1.7.6 WIP SC38 Consolidate and Clarify Logging and Records Archival Retention Requirements
 author:
   - CA/Browser Forum
 date: 3 June, 2021  
@@ -1468,7 +1468,9 @@ The CA SHALL verify that the Delegated Third Party's personnel involved in the i
 
 ### 5.4.1 Types of events recorded
 
-The CA and each Delegated Third Party SHALL record details of the actions taken to process a certificate request and to issue a Certificate, including all information generated and documentation received in connection with the certificate request; the time and date; and the personnel involved. The CA SHALL make these records available to its Qualified Auditor as proof of the CA’s compliance with these Requirements.
+The CA and each Delegated Third Party SHALL record events related to the security of Certificate Systems, Certificate Management Systems, Root CA Systems and Delegated Third Party Systems, especially events and details of the actions taken to process a certificate request and to issue a Certificate.
+
+The CA SHALL make these event records available to its Qualified Auditor as proof of the CA’s compliance with these Requirements.
 
 The CA SHALL record at least the following events:
 
@@ -1477,15 +1479,17 @@ The CA SHALL record at least the following events:
    2. Certificate requests, renewal, and re-key requests, and revocation;
    3. Approval and rejection of certificate requests;
    4. Cryptographic device lifecycle management events;
-   5. Generation of Certificate Revocation Lists and OCSP entries;
-   6. Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.
+   5. Generation of Certificate Revocation Lists;
+   6. Signing of OCSP Responses (as described in 4.9 and 4.10); and
+   7. Introduction of new Certificate Profiles and retirement of existing Certificate Profiles.
 
 2. Subscriber Certificate lifecycle management events, including:
    1. Certificate requests, renewal, and re-key requests, and revocation;
    2. All verification activities stipulated in these Requirements and the CA's Certification Practice Statement;
    3. Approval and rejection of certificate requests;
-   4. Issuance of Certificates; and
-   5. Generation of Certificate Revocation Lists and OCSP entries.
+   4. Issuance of Certificates;
+   5. Generation of Certificate Revocation Lists; and
+   6. Signing of OCSP Responses (as described in 4.9 and 4.10).
 
 3. Security events, including:
    1. Successful and unsuccessful PKI system access attempts;
@@ -1496,29 +1500,31 @@ The CA SHALL record at least the following events:
    6. Firewall and router activities; and
    7. Entries to and exits from the CA facility.
 
-Log records MUST include the following elements:
+Log records MUST include at least the following elements:
 
-1. Date and time of record;
-2. Identity of the person making the journal record; and
-3. Description of the record.
+1. Date and time of event;
+2. Identity of the person making the journal entry; and
+3. Description of the event.
 
-### 5.4.2 Frequency for Processing and Archiving Audit Logs
+### 5.4.2 Frequency of processing audit log
 
-### 5.4.3 Retention Period for Audit Logs
+### 5.4.3 Retention period for audit log
 
-The CA SHALL retain, for at least two years:
+The CA SHALL retain, for at least two (2) years:
 
   1. CA certificate and key lifecycle management event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (1)) after the later occurrence of:
      1. the destruction of the CA Private Key; or
      2. the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 `basicConstraints` extension with the `cA` field set to true and which share a common Public Key corresponding to the CA Private Key;
   2. Subscriber Certificate lifecycle management event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (2)) after the revocation or expiration of the Subscriber Certificate;
   3. Any security event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (3)) after the event occurred.
 
-### 5.4.4 Protection of Audit Log
+**Note:** While these Requirements set the minimum retention period, the CA may choose a greater value as more appropriate in order to be able to investigate possible security or other types of incidents that will require retrospection and examination of past events.
+
+### 5.4.4 Protection of audit log
 
-### 5.4.5 Audit Log Backup Procedures
+### 5.4.5 Audit log backup procedures
 
-### 5.4.6 Audit Log Accumulation System (internal vs. external)
+### 5.4.6 Audit collection System (internal vs. external)
 
 ### 5.4.7 Notification to event-causing subject
 
@@ -1534,9 +1540,36 @@ Additionally, the CA's security program MUST include an annual Risk Assessment t
 
 ### 5.5.1 Types of records archived
 
+The CA and each Delegated Third Party SHALL archive records related to the security of Certificate Systems, Certificate Management Systems, Root CA Systems and Delegated Third Party Systems, especially archive records related to the verification, issuance and revocation of certificate requests and Certificates.
+
+Following is a list of illustrative examples of records archived that are related to the security of Certificate Systems, Certificate Management Systems, Root CA Systems and Delegated Third Party Systems:
+
+- Records of the onboarding process of CA hardware components;
+- Records of change management events for CA software, CA profiles
+- CA ceremony scripts
+- ...
+- ...
+
+The CA SHALL archive records relating to:
+
+1. CA certificate and key lifecycle management event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (1))
+2. Subscriber Certificate lifecycle management event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (2))
+3. Security event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (3))
+
+
 ### 5.5.2 Retention period for archive
 
-The CA SHALL retain all documentation relating to certificate requests and the verification thereof, and all Certificates and revocation thereof, for at least seven years after any Certificate based on that documentation ceases to be valid.
+The CA and each Delegated Third Party SHALL retain, for at least two (2) years:
+
+1. CA certificate and key lifecycle management event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (1)) after the later occurrence of:
+    1. the destruction of the CA Private Key; or
+    2. the revocation or expiration of the final CA Certificate in that set of Certificates that have an X.509v3 `basicConstraints` extension with the `cA` field set to true and which share a common Public Key corresponding to the CA Private Key;
+2. Subscriber Certificate lifecycle management event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (2)) after the expiration of the Subscriber Certificate;
+3. Any security event records (as set forth in [Section 5.4.1](#541-types-of-events-recorded) (3)) after the event occurred; 
+4. All archived records and documentation relating to the verification, issuance, and revocation of certificate requests and Certificates; and
+5. All archived records and documentation related to the security of Certificate Systems, Certificate Management Systems, Root CA Systems and Delegated Third Party Systems (as set forth in [Section 5.5.1](#551-types-of-records-archived)).
+
+**Note:** While these Requirements set the minimum retention period, the CA may choose a greater value as more appropriate in order to be able to investigate possible security or other types of incidents that will require retrospection and examination of past archive records.
 
 ### 5.5.3 Protection of archive