TL;DR: The CCADB Steering Committee will soon update the CCADB policy to Version 1.2, which:
Adds seven (7) new requirements;
Changes six (6) existing requirements;
Standardizes CCADB “Incident Reports” from the longstanding Mozilla format and gives Root Stores the option to require these reports; and
Is planned to become effective February 15, 2023.
The CCADB Steering Committee provides this pre-release draft and requests that any concerns be expressed by the CA community before February 3, 2023.
All,
The CCADB policy will soon be updated to:
Clarify existing normative requirements and standardize terminology;
Account for recent CCADB system enhancements;
Require use of the ACAB’c template for ETSI AALs; and
Standardize incident and audit incident reports.
The redline comparison of CCADB policy Version 1.1 to Version 1.2 is here. The abbreviated list of new or changed requirements is here.
In conjunction with this policy update, a new page will be added to ccadb.org that states the value of incident reporting and defines a standard for incident and audit incident reports.
The incident report is borrowed from the longstanding Mozilla format currently in use.
The audit incident report format is new. This report intends to clarify audit non-conformities, qualifications, or modified opinions from audits with a specific focus on the root cause and remediation plan. In the past, incident reports have been requested based on audit statement findings. However, the amount of time passing before statement delivery to Root Stores combined with the often vague findings created inconsistent reporting.
This CCADB policy update offers a format for standardized reports, but it defers to individual Root Store policy on the enforcement of specific incident reporting requirements.
The Steering Committee intends for this version of the policy to become effective on February 15, 2023, and we plan to announce the release with a separate communication. We appreciate considerations from the CA community, either in a marked-up copy of any of these documents, or directly in this thread before February 3, 2023.
Thank you,
Chris, on behalf of the CCADB Steering Committee
TL;DR: The CCADB Steering Committee will soon update the CCADB policy to Version 1.2, which:
Adds seven (7) new requirements;
--
You received this message because you are subscribed to the Google Groups "public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mBHsynXGjQ4Gw0TiMWqgY0A5TibC3HMdx0Lxwd7wMXp2Q%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa3_eVSHGKPGysJuY-7Y9SGD5eRw4E89SQdFfaKpCpHA0bQ%40mail.gmail.com.