CCADB Policy Version 1.2 Pre-Release Notification

248 views
Skip to first unread message

Chris Clements

unread,
Jan 11, 2023, 4:55:05 PM1/11/23
to public

TL;DR: The CCADB Steering Committee will soon update the CCADB policy to Version 1.2, which:

  • Adds seven (7) new requirements

  • Changes six (6) existing requirements; 

  • Standardizes CCADB “Incident Reports” from the longstanding Mozilla format and gives Root Stores the option to require these reports; and 

  • Is planned to become effective February 15, 2023. 

The CCADB Steering Committee provides this pre-release draft and requests that any concerns be expressed by the CA community before February 3, 2023.



All,


The CCADB policy will soon be updated to:


  1. Clarify existing normative requirements and standardize terminology; 

  2. Account for recent CCADB system enhancements;

  3. Require use of the ACAB’c template for ETSI AALs; and

  4. Standardize incident and audit incident reports.


The redline comparison of CCADB policy Version 1.1 to Version 1.2 is here. The abbreviated list of new or changed requirements is here


In conjunction with this policy update, a new page will be added to ccadb.org that states the value of incident reporting and defines a standard for incident and audit incident reports. 


  • The incident report is borrowed from the longstanding Mozilla format currently in use. 

  • The audit incident report format is new. This report intends to clarify audit non-conformities, qualifications, or modified opinions from audits with a specific focus on the root cause and remediation plan. In the past, incident reports have been requested based on audit statement findings. However, the amount of time passing before statement delivery to Root Stores combined with the often vague findings created inconsistent reporting. 


This CCADB policy update offers a format for standardized reports, but it defers to individual Root Store policy on the enforcement of specific incident reporting requirements.


The Steering Committee intends for this version of the policy to become effective on February 15, 2023, and we plan to announce the release with a separate communication. We appreciate considerations from the CA community, either in a marked-up copy of any of these documents, or directly in this thread before February 3, 2023


Thank you,

Chris, on behalf of the CCADB Steering Committee


Kurt Seifried

unread,
Jan 11, 2023, 6:59:07 PM1/11/23
to Chris Clements, public
On Wed, Jan 11, 2023 at 2:55 PM 'Chris Clements' via public <pub...@ccadb.org> wrote:

TL;DR: The CCADB Steering Committee will soon update the CCADB policy to Version 1.2, which:


Changed: For technical reasons, URLs to audit statements need to point to a PDF file.

Shouldn't they also be HTTPS? There are a ton of links to HTTP audit docs across the CCADB data. I mean... I feel like a CA should be able to do HTTPS consistently. Right?
 
--
You received this message because you are subscribed to the Google Groups "public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mBHsynXGjQ4Gw0TiMWqgY0A5TibC3HMdx0Lxwd7wMXp2Q%40mail.gmail.com.


--
Kurt Seifried (He/Him)
ku...@seifried.org

Ben Wilson

unread,
Jan 11, 2023, 7:49:07 PM1/11/23
to Kurt Seifried, Chris Clements, public
The CCADB won't process an audit unless it is downloaded via https.
There are only about 20 standard audit records in the CCADB that still have http, but over 1,000 that are https.
Ben

To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa3_eVSHGKPGysJuY-7Y9SGD5eRw4E89SQdFfaKpCpHA0bQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages