This needs further discussion. There may tools that do not log this kind of information nor have a security log. Should this be forced on the tool vendor or left to the tool vendor to decide what to log or not?

Discussion with Martin: The logging shall be auditable (this means that it gets somehow exported or send out (log server)
A detailed definition of auditable would be quite complex and may involve also digital signature of log messages.
A log message should contain at least user_id, timestamp and the action.
The logging functionality is important for auditing purposes and should be implemented.

Propose to change the text in 9.1 to:
"The tool shall support sending log messages and displaying meaningful warning and error messages when a signature cannot be fully validated"
Reason: With this formulation a "logging" system is not in the "shall" requirement. (only the ability to send out messages is required).
Organizational topics related to logging are out of scope.

In section 9.1, now section 8.1 the following was changed:
The third sentence in the fourth paragraph was changed to read "The tool shall support sending of log messages and display of meaningful warning and error messages when a signature cannot be fully validated. ".

In the team review it was mentioned that this should be not a "shall" and that the log format is not specified (so the "shall" is not testable))

Based on input from Martin Dickopp:
We changed the "shall" for log messages to a "should", but kept the "shall" for the display of warning/error messages.

see previous note

Text was again changed to reflect tools with and without user interfaces

team agrees to close the issue