CCADB Self-Assessment - Feedback Request

184 views
Skip to first unread message

Chris Clements

unread,
Nov 21, 2022, 3:48:52 PM11/21/22
to pub...@ccadb.org

TLDR: The CCADB Steering Committee has revamped the CA Self-Assessment template to a more comprehensive crosswalk of the current CCADB Policy, CA/Browser Forum TLS Baseline Requirements, EV Guidelines, Network and Certificate System Security Requirements, and some individual Root Program policies. The CCADB Steering Committee requests feedback on the updated template from the CA community before December 19, 2022. 


Self-Assessments are valuable. They allow CA owners to reflect and make objective judgments and self learnings based on criteria they have agreed to follow. They also provide Root Stores with transparency and assurance that controls are in place and operating effectively to maintain privacy and security for end users. Finally, they provide an opportunity for continuous improvement by either calling attention to policy requirements that may be misinterpreted, or otherwise benefit from enhancement or modernization. 


This updated template provides a comprehensive view of the various Web PKI requirements and allows mapping across CAs’ policy documents. The template includes worksheets for:


  • Instruction for completion of the assessment [Instructions]

  • Identifying which CAs the assessment does and does not cover [Cover Sheet]

  • CCADB Policy compliance attestation [CCADB Policy V1.1 Self-Assessment]

  • TLS BRs “shall” statements and policy document mappings through section references [TLS BRs V1.8.4 Self-Assessment (excludes EVGs)]

  • NCSSRs compliance attestation [NCSSRs V1.7 Self-Assessment]

  • EV Guidelines compliance attestation for CAs that issue EV certificates [TLS EV Self-Assessment (EV-issuers, only)]

  • Chrome Root Program Policy compliance attestation for CAs included in the Chrome Root Store [Chrome Root Program Policy V1.2 Self-Assessment]

  • Mozilla Root Store Policy compliance attestation for CAs trusted by Mozilla [Mozilla Compliance Self-Assessment]

  • *Worksheets may be added in the future for other participating root stores or relevant requirements


Understandably, if a Root Program requires CAs to utilize the CCADB Self-Assessment, they must expend effort to complete the comprehensive template on first use. However, the effort creates alignment between the Baseline Requirements (and RFC 3647 by association) and CA owners’ policy documents. Subsequent updates should be minimal, accounting for changes from the year prior. There is also the effort required to keep the template updated, and the CCADB Steering Committee will update the template whenever a corresponding set of policies is updated.


We appreciate feedback from the CA community, either in a copy of the sheet or directly in this thread before December 19, 2022. We will review the feedback and incorporate edits to the template as appropriate, and we will make the updated template available for use in the new year with a separate communication. 


Thank you,

Chris, on behalf of the CCADB Steering Committee


Daryn Wright

unread,
Dec 19, 2022, 1:05:41 PM12/19/22
to public, ccle...@google.com
I had some feedback that I wanted to post here to encourage discussion, as I might just be missing something simple.

First, on the sheet 'CCADB Policy V1.1 Self Assessment' row 5 asks for 'Office hours phone numbers' for Primary PoC and at least one other.
I am unable to add change or verify any phone number as a CA PoC. I am not the Primary PoC for my CA but there doesn't seem to be a place to put a phone number. Am I just missing where it goes? Also, in the age of remote working, an office hours phone number for individuals feels obsolete especially when we already have timely response requirements on the emails - for many companies this would be requiring people to put up their personal cell numbers, or signup for a forwarding number.

Second, on the sheet ' TLS BRs V1.8.4 Self Assessment (excludes EVGs)' row 6.
This is a listing of every change ever made to the BRs, validating this appropriately would require reviewing and reading nearly every passed ballot int he history of the CAB forum. Each item listed here should also be represented in it's own section and attested to there - making this section redundant and out of line with the method of verification on the rest of the self assessment. Each section with a ballot change during the year should be updated to reflect that change already, and require an updated attestation during the annual update of the self-assessment, so I am not sure the purpose it serves to have us attest twice to the same thing.

Third, on the same sheet, row 68-70 on section 3.2.2.4.3
This is three lines verifying information for a method that is no longer in use. I believe the data reuse period is 398 days, but the longest data reuse period we have is 825 days. The method stopped on May 31, 2019. that means, using the data reuse period of 398 days, data from that method could no longer be used as of July 3, 2020 and the last issued cert using that data should have expired before August 6, 2021. If this somehow used the longer data reuse period, all certs would still be expired before October 7, 2022. Since this method is out of use and all certificates using it should be expired, can we drop this to 1 line to mirror 3.2.2.4.1, 3.2.2.4.9, and 3.2.2.4.10?

Chris Clements

unread,
Dec 19, 2022, 1:58:47 PM12/19/22
to Daryn Wright, public
Hi Daryn,

Thank you for the specific feedback!
  1. The “Office hours phone number” requirement for the Primary POC and one other POC in the CCADB policy v1.1 is planned for removal in the next policy update.
  2. Agree with your observation, and we should modify the statement included to align with the verification method used for all other BR requirements.
  3. This draft was created with BR v1.8.4 in effect. Since its release, the BRs have incremented two versions, and 1.8.5 modified this requirement to be in line with 3.2.2.4.1, etc. The final copy of this self-assessment will include the updates from BRs v1.8.6 and EV Guidelines v1.8.0 (and any additional policy updates that occur before release).
Thanks again
-Chris

--
You received this message because you are subscribed to the Google Groups "public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/91eaf48b-7a13-4c5a-891f-8ba5a448aa7fn%40ccadb.org.

Entschew, Enrico

unread,
Dec 20, 2022, 2:49:25 AM12/20/22
to Chris Clements, pub...@ccadb.org

Hi Chris,

 

I have a general comment about the template. It currently takes into account CP and CPS. However, there are some TSPs that have multiple CPSs that might need to be considered. In addition, the TSP I represent has a third mandatory document, the Trust Service Practice Statement (TSPS).

We established the Trust Service Practice Statement (TSPS) to list conditions that apply to all CPSs. This is to avoid redundancy in CPSs and possible errors due to the transfer of changes during the update.

For this reason, it should be possible to include at least the following three standard documents in the template: general CP, general TSPS and specific CPS.

Thanks,

Enrico

--

You received this message because you are subscribed to the Google Groups "public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.

Chris Clements

unread,
Dec 20, 2022, 11:46:58 AM12/20/22
to Entschew, Enrico, pub...@ccadb.org
Hi Enrico,

Thank you for the feedback. We did consider TSPS documents when drafting the self assessment and included the “or TSPS” statement in column E.

When prototyping the draft template, we sampled a few “shall” statements from the BRs and cross-referenced each requirement against a few different CA owners’ CP, CPS, and TSPS to ensure the template covers the use case you describe.
  • In most instances the BR statement was addressed in the corresponding section of the CP and further identified in the CPS, but not always.
  • In some instances we found the CPS (or multiple CPSs) redirect to the TSPS to satisfy the BR statement, but the sections of the documents did not always match. In these instances we would expect column E to be populated with the CPS or TSPS section that adheres to the CP and thus the BRs.
Your feedback does demonstrate the need to update the cover sheet to account for the possibility of multiple CPS(s) and the TSPS document. This will be included in the final copy.

Thanks again!
-Chris
Reply all
Reply to author
Forward
0 new messages