On briefly reviewing CA's Certificate Policies and Audits at random a few issues arose in respect to CCADB policy. My intent here isn't to highlight a specific CA at fault, but to note that there seems to be a theme of these policies not being adhered to. To that end while I'm talking about a specific CA in each issue, it impacts more than just one.
CCADB Policy 5.1: Audit Statement ContentSince version 1.2 effective February 15, 2023 there has been this language affecting audit reports:
- List of the CA Owner's applicable policy documents (with version numbers and publication dates) referenced during the audit;
As an example if we look at ACCV's TLS BR audit from
2023-06-28 they mention: "ACCV’s Certification Practice Statement (CPS) – v4.0.11; and"
Now, this is compatible with the baseline requirements that don't impose the publication date requirement but not CCADB policy. I am under the impression that audits are automatically checked via the Audit Letter Validation process, how does this function in practice and does it need updated?
As an aside it seems ACCV have an updated CPS that isn't included in their CCADB record? The record points at a 4.0.13 CPS, while
the website
has a 5.0.2. Please be advised that minotaurs may be present if attempting to find this page on your own.
Authoritative LanguageSince CCADB Policy 1.0 there has been wording to the effect of:
As of June 1 2017, CAs must provide English versions of any Certificate Policy and Certification Practice Statement documents which are not originally in English, with version numbers matching the document they are a translation of. The English version is not required to be authoritative in all cases of dispute, but the CA must attest that the translation is not materially different to the original.
With that in mind and with Actalis as an example how does
this CPS comply:
1.2 Document Identification
This document is the Certification Practice Statement (CPS) applying to SSL Server and Code Signing certificates issued by Actalis S.p.A. Version and time of last revision are indicated on the first page. This document is published on Actalis’ web site in two languages: Italian and English. In the event of any inconsistency between the two versions, the Italian version takes precedence.
What is the actual process for checking certificate policies against CCADB policy? I was checking a few policies for their 1.4.2 text and stumbled on these so there are doubtless more issues...
- Wayne