All,
We’ve had an internal discussion at Sectigo regarding which information relating to CP and CPS documents needs to be kept within CCADB, and which old information must be removed.
We’re opting to open a public thread for this as we’re not only interested in seeing the point of view of the CCADB members, but other CAs and the community as well. At present, we see different CAs taking different approaches.
Let us start by quoting a few requirements, from CCADB and root stores:
The Chrome Root Program states (https://www.chromium.org/Home/chromium-security/root-ca-policy/#2-chrome-root-program-participant-policies): "The Chrome Root Program considers CA policy documentation in the CCADB to be authoritative."
The CCADB Policy states (https://www.ccadb.org/policy#5-policies-audits-and-practices): "The URLs to such CPs, CPSes and audits, and any metadata about them such as the name of the auditor or the date of the audit, must be updated as new information becomes available."
Our questions here boil down to (1) What is the scope of “updated”? and (2) What does it mean for a superseded CP or CPS document whose details have not been removed from CCADB “to be authoritative”?
For CP and CPS information, it’s possible (and sometimes even necessary) to add multiple entries. These entries can however also be removed at a later time. Consider the regular occurrence of a CA publishing a CPS update: What update are root stores / CCADB expecting out of these options:
Or, would any of these 3 options currently be seen as a valid practice?
Regards,
Martijn
What update are root stores / CCADB expecting out of these options:
- The new CPS should be added, and the old CPS should be deleted as it is no longer in effect for new certificate issuance.
- The new CPS should be added, but the old CPS should be kept in place as long as there are unexpired certificates under its policy.
- The new CPS should be added. Older entries should be kept indefinitely to serve as an archive overview.
The parenthetical in the first sentence is intended to provide some clarity around which CP/CPS documents are considered authoritative when disclosed to the CCADB. If a non-authoritative CP/CPS is not marked as “Deleted”, then it’s difficult to ascertain with a high degree of confidence and consistency across the corpus of CAs which CP/CPS is authoritative for a given CA. Ideally, a Root CA should only have at most either:"CA providers must strictly adhere to their Certificate Policy (CP) and/or Certification Practices Statement (CPS) document(s) as disclosed within the CCADB (and not marked as “Deleted”).Note: This extends to all policy documents the CA provider publishes in relation to its CAs included in the Apple Root Program, such as TSPS documents.”
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqsV%2BOdGz3DZMy2ZPOiXo64DBDW7AB--ctauEBafJFE1uw%40mail.gmail.com.
Hi Martijn,
Providing the Chrome Root Program’s perspective below and feedback from others is welcome.
(1) What is the scope of “updated”?
In general, we rely on the information disclosed to the CCADB to serve as a canonical source of truth for the CAs represented in the Chrome Root Store, and those CAs transitively trusted in Chrome through those certificates.
The CCADB has, and continues to add, processing logic and reporting to measure compliance with various ecosystem requirements (e.g., BRs, Root Store Operator policies, etc.). This logic heavily depends on data disclosed by CAs to the CCADB. One example is that CCADB will warn on any policy document that’s not been updated within the last year, in line with the expectations of Section 2 of the Baseline Requirements (e.g., TLS BRs).
A simple way of thinking about the scope of “updated" is to consider the moment any data disclosed to the CCADB is no longer accurate (e.g., the in-force CP for a given PKI hierarchy is incremented from Version 1.1 to Version 1.2), it should be replaced with data that is accurate.
(2) What does it mean for a superseded CP or CPS document whose details have not been removed from CCADB “to be authoritative”?
Technically, policy documents are not removed from the CCADB. A CA Owner can identify a policy document as non-current (i.e., they have been superseded by a newer version) by selecting a “Delete" button in an ‘Add/Update Root Request’ case, or by directly updating the ‘Policies and Practices Information’ fields on ICA records. Despite the current “Delete” label, the CCADB does retain a copy of the document for long term use. The CCADB Steering Committee plans to update this label as part of a larger enhancement request in the near future.
For CP and CPS information, it’s possible (and sometimes even necessary) to add multiple entries. These entries can however also be removed at a later time. Consider the regular occurrence of a CA publishing a CPS update: What update are root stores / CCADB expecting out of these options:
- The new CPS should be added, and the old CPS should be deleted as it is no longer in effect for new certificate issuance.
- The new CPS should be added, but the old CPS should be kept in place as long as there are unexpired certificates under its policy.
- The new CPS should be added. Older entries should be kept indefinitely to serve as an archive overview.
The Chrome Root Program prefers CA Owners behave similar to #1, but as described above, “delete” is not the most appropriate term for the non-current versions of the policy documents. In actuality, the system behavior is more consistent with #3 due to document archive functionality.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/915D2153-57F7-4340-A280-AAF3FAF998C8%40apple.com.
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/SA1PR17MB65036E72E1BCC94752CB7B53E3812%40SA1PR17MB6503.namprd17.prod.outlook.com.
(e.g., the in-force CP for a given PKI hierarchy is incremented from Version 1.1 to Version 1.2), it should be replaced with data that is accurate.
- The new CPS should be added, and the old CPS should be deleted as it is no longer in effect for new certificate issuance.
- The new CPS should be added, but the old CPS should be kept in place as long as there are unexpired certificates under its policy.
- The new CPS should be added. Older entries should be kept indefinitely to serve as an archive overview.
The Chrome Root Program prefers CA Owners behave similar to #1, but as described above, “delete” is not the most appropriate term for the non-current versions of the policy documents. In actuality, the system behavior is more consistent with #3 due to document archive functionality.
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/d71c388f-8853-4a4b-9d49-a9aa4635ef50n%40ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/381e5c16-52ab-4ef7-9c0c-ede928dc0a4d%40harica.gr.
I agree that older versions of CP/CPS documents are important and useful, and ideally should be exposed for parties who want to see versions that were in effect when older certificates were validated or issued.
But the reality is that, for example, Let's Encrypt's CCADB pages were nearly unreadable due to the huge listing of historical CP/CPS documents. It was also incredibly difficult to tell which documents were relevant because we had made a change from separate CP and CPS to a combined CP/CPS. The UI simply displays all historical documents, with no ability to filter by when they were in force, and no ability to easily see which newer document replaced them. So we decided to go through and mark all historical versions of our documents as "deleted" to make the pages readable and usable again.
Ideally, there would be a nice in-between. But today, keeping many historical document versions active results in an unfortunate user experience.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAEmnErckLgLskiQUUzY7ATW6W%3DWfnzMw6GzJKEeh7yu6%2B9frVw%40mail.gmail.com.
Hi Martijn, et al.,
The CCADB Steering Committee had the opportunity to review and discuss the constructive feedback provided in this thread (thanks for that!). As previously hinted, we were planning to make some changes to policy document handling in the CCADB as a larger enhancement request, and this is an opportunity to collect some feedback.
Currently, new policy documents are always added as new records in the CCADB. References get added (A) to Root Certificate record(s) via an ‘Add/Update Root Request’ Case after a Root Store Operator syncs the information from the Case with the root record(s) (as they do today), or (B) directly on Intermediate Certificate records by CA Owners (as they are today).
Here is how we think publishing new policy documents (e.g., CP, CPS, or CP/CPS) could be handled in the CCADB going forward:
When a new policy document is added and associated with a Root Certificate record, if a previous version of that document exists (i.e., an earlier version of the policy document being added), we will expect that the previous version of that document would then be “superseded”. “Superseded” intends to avoid potential confusion from the existing term “Delete” and other suggested terms (i.e., “Archived”, “Obsolete”, “Withdrawn”, etc.), since previous policy documents can still be applicable in the ecosystem. Further:
All policy document records would be updated in the CCADB to include a new field: Policy Document Superseded Date.
During the “Add/Update Root Request” Case process, when adding a new policy document and associating it with applicable Root Certificate records, the CA Owner can select any existing policy document and click a new Supersede button to edit that document record and to specify the date it was superseded.
When editing an existing policy document that has already been synced with Root Certificate record(s), only the Policy Document Superseded Date field can be edited.
All fields for new policy documents that are being added to the Case can be edited until the Case is submitted for Root Store Operator review (as they are today).
During the deployment of this enhancement and for previously “Deleted” policy document records, we can set the Policy Document Superseded Date field to the Last Modified Date. CA Owners will have the ability to edit this date as needed on the policy document record.
In the CCADB, the reference to a superseded policy document will behave the same as those that are “Deleted” today, with the various options that allow a user to hide or reveal superseded documents.
In an ‘Add/Update Root Request’ Case, a warning will be presented for existing policy documents that have not been superseded after 335 days. The warning will progress to an error at 365 days, aligned with the annual update requirement of Section 2 in the CA/Browser Forum’s TLS, S/MIME, and Code Signing Baseline Requirements.
In the CCADB, all references to policy documents on Root Certificate records will have a File Archive Association (as they do today).
CA Owners can directly add and modify references to policy documents on their Intermediate Certificate records or identify the policy documents to be the same as the parent record (as they do today). Further:
On the Intermediate Certificate record, we will add the ability to identify if the CP, CPS, or CP/CPS is the same as the parent record, rather than only having the ability to identify “CP/CPS same as parent”, which is today’s current state in the CCADB.
When an Intermediate Certificate record is modified with policy document information and saved, that policy document will automatically be archived and identified as superseded. The Policy Document Superseded Date field will be populated on the archive record with the date the Intermediate Certificate record was modified and saved.
On the Intermediate Certificate record, a warning will be presented for existing policy documents that have not been superseded after 335 days. A new warning will be presented at 365 days, aligned with the annual update requirement of Section 2 in the CA/Browser Forum’s TLS, S/MIME, and Code Signing Baseline Requirements.
These proposed changes have simplicity in mind, while also:
allowing the CCADB to have similar logic of showing only the latest version of policy document(s) in default views;
providing more explicit “closure” for when a document has been superseded by another; and
avoiding confusion about a policy document having different states beyond effective and superseded.
Again, we appreciate the feedback on this thread and value the community's perspective on this proposal.
Thank you
-Chris, on behalf of the CCADB Steering Committee
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/2c0b9fa9-cf19-4a74-8a09-b38f70fffa7dn%40ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mDwnBM0B%2Bj8oAN-GdQ7EiMcTNVWOfzZQgsNSaeZO8u9Zw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mDwnBM0B%2Bj8oAN-GdQ7EiMcTNVWOfzZQgsNSaeZO8u9Zw%40mail.gmail.com.
I think this all makes sense, except for using the last-modified date to backfill the new “superseded” date. Unless it’s a practice to update a document itself when it is superseded by another, that last-modified is actually the date when it *started* to have effect, not when it ended. That would be pretty confusing!
Because of the mixture of doc types I’m not sure that you can get anything mechanically that approximates the superseding date, so it might just be better to leave that field empty/missing, and display it as “before Oct 31, 2024”, maybe linking to the document about putting this practice in place. I think it’s better to just admit that the system doesn’t know some of the dates than to make consumers try to figure out if the date is “real” or not.
If I remember correctly, in the Add/Update Root Request when a CP/CPS document is added, there is a field indicating the effective date of that document. If CCADB could be automated to set this particular field as the "Policy Document Superseded Date" in the previous superseded documents, it would be very helpful and would ensure consistency between the latest and previous versions of the documents in the DB on the date issue.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/6b3629ad-d975-447f-b3b2-e1c3e162c191%40harica.gr.
If I remember correctly, in the Add/Update Root Request when a CP/CPS document is added, there is a field indicating the effective date of that document. If CCADB could be automated to set this particular field as the "Policy Document Superseded Date" in the previous superseded documents, it would be very helpful and would ensure consistency between the latest and previous versions of the documents in the DB on the date issue.Your recollection is correct. This approach could be viable for CA Owners who utilize the same URL for the “Document Link”, but that is atypical and the CCADB would not otherwise be able to understand the relationship between the multiple policy document records.
Another approach we could consider would be when the CA Owner selects any existing policy document record in the Case UI and clicks the new “Supersede” button the "Policy Document Superseded Date" field could auto populate with the current date. We previously proposed clicking this button would require the CA Owner to manually select the date, but maybe we auto populate the date and still offer the CA Owner the ability to edit it, if needed.
Some CAs have a URL pointing always to the "latest version" of the corresponding document but I believe the guidance from the CCADB steering committee was to link to a specific version of the document. Is it ok for CAs to add URLs that point to the "latest version" of the document?
I understand the complexity when multiple CP or CPS documents exist. The last approach sounds risky because a CA Owner might overlook and not set the correct field. Usually it takes a few days between the creation of a new version of a CP/CPS and the update in CCADB so the "current date" will be an incorrect default most of the time. If there is no way to correlate the superseded with the updated CP/CPS effective date, I think it's better to leave it blank.
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/c5a54377-df08-4ed5-8131-b7d2021f22cd%40harica.gr.
Currently, we see some CA Owners using a URL with a specific version of the document and others using a URL that points to where the latest version of the document can be found. Both are acceptable. The POLICY DOCUMENTS guide states: "If the link to your CA’s most current policy document remains constant, then you can simply edit the document object to update the date, add policy identifiers, update comments, and update the list of applicable root certificates."
--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZquKwxKpJDfii7_ixs_zpZRqho9iuBp5-r9s_pgbLU9H2w%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/9C03D8B5-C6E1-4AA6-9BFF-471E33E4D119%40apple.com.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/MW4PR17MB4729B42F59C16FEA6D600DF9AA6C2%40MW4PR17MB4729.namprd17.prod.outlook.com.
CCADB records that formerly had "CP/CPS Same as Parent" ticked now have "CP Same As Parent" and "CPS Same As Parent" ticked but, crucially, "CP/CPS Same As Parent" has been unticked.
Please append the following fields to AllCertificateRecordsCSVFormatv2 as soon as possible:
"CP Same As Parent"
"CPS Same As Parent"
"CP Last Updated"
"CPS Last Updated"
One further issue I've noticed is that CP/CPS policy document URLs from Root Certificate records currently appear in the "Certificate Practice Statement (CPS) URL" field in the CSV file rather than the "Certificate Practice & Policy Statement" field. But perhaps your "larger policy document related enhancement separately in the future" already plans to address this?