TLDR: The CCADB Steering Committee has revamped the CA Self-Assessment template to a more comprehensive crosswalk of the current CCADB Policy, CA/Browser Forum TLS Baseline Requirements, EV Guidelines, Network and Certificate System Security Requirements, and some individual Root Program policies. The CCADB Steering Committee requests feedback on the updated template from the CA community before December 19, 2022.
Self-Assessments are valuable. They allow CA owners to reflect and make objective judgments and self learnings based on criteria they have agreed to follow. They also provide Root Stores with transparency and assurance that controls are in place and operating effectively to maintain privacy and security for end users. Finally, they provide an opportunity for continuous improvement by either calling attention to policy requirements that may be misinterpreted, or otherwise benefit from enhancement or modernization.
This updated template provides a comprehensive view of the various Web PKI requirements and allows mapping across CAs’ policy documents. The template includes worksheets for:
Instruction for completion of the assessment [Instructions]
Identifying which CAs the assessment does and does not cover [Cover Sheet]
CCADB Policy compliance attestation [CCADB Policy V1.1 Self-Assessment]
TLS BRs “shall” statements and policy document mappings through section references [TLS BRs V1.8.4 Self-Assessment (excludes EVGs)]
NCSSRs compliance attestation [NCSSRs V1.7 Self-Assessment]
EV Guidelines compliance attestation for CAs that issue EV certificates [TLS EV Self-Assessment (EV-issuers, only)]
Chrome Root Program Policy compliance attestation for CAs included in the Chrome Root Store [Chrome Root Program Policy V1.2 Self-Assessment]
Mozilla Root Store Policy compliance attestation for CAs trusted by Mozilla [Mozilla Compliance Self-Assessment]
*Worksheets may be added in the future for other participating root stores or relevant requirements
Understandably, if a Root Program requires CAs to utilize the CCADB Self-Assessment, they must expend effort to complete the comprehensive template on first use. However, the effort creates alignment between the Baseline Requirements (and RFC 3647 by association) and CA owners’ policy documents. Subsequent updates should be minimal, accounting for changes from the year prior. There is also the effort required to keep the template updated, and the CCADB Steering Committee will update the template whenever a corresponding set of policies is updated.
We appreciate feedback from the CA community, either in a copy of the sheet or directly in this thread before December 19, 2022. We will review the feedback and incorporate edits to the template as appropriate, and we will make the updated template available for use in the new year with a separate communication.
Thank you,
Chris, on behalf of the CCADB Steering Committee
--
You received this message because you are subscribed to the Google Groups "public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/91eaf48b-7a13-4c5a-891f-8ba5a448aa7fn%40ccadb.org.
Hi Chris,
I have a general comment about the template. It currently takes into account CP and CPS. However, there are some TSPs that have multiple CPSs that might need to be considered. In addition, the TSP I represent has a third mandatory document, the Trust Service Practice Statement (TSPS).
We established the Trust Service Practice Statement (TSPS) to list conditions that apply to all CPSs. This is to avoid redundancy in CPSs and possible errors due to the transfer of changes during the update.
For this reason, it should be possible to include at least the following three standard documents in the template: general CP, general TSPS and specific CPS.
Thanks,
Enrico
--
You received this message because you are subscribed to the Google Groups "public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCM9KAahEPvWS%3DEvaTZKcsgd-VR03GqSxPMOXRCu%2B2rWw%40mail.gmail.com.