CCADB Policy 2.1 Published and Effective

[Ben Wilson]

All,

The CCADB Steering Committee has published CCADB Policy version 2.1, effective March 20, 2026, which is now available at: https://www.ccadb.org/policy

This update introduces several clarifications and enhancements to existing expectations, including:

• Clarification of expectations for subordinate CA ownership disclosure.

• A new requirement, effective September 15, 2026, for additional disclosures within PKI policy documents to more clearly establish their scope and applicability.

• Clarified audit expectations for CAs supporting time-stamping use cases.

• Clarification of expectations related to explanatory letter disclosures when audit statements are delayed.

• Encouragement for Qualified Auditors to review publicly disclosed incident reports and provide an opinion on incident handling and remediation.

• Clarified CRL disclosure expectations, including the introduction of a new CCADB field, “All Full CRL URIs.” This field will require a properly formatted JSON array containing the complete set of distinct HTTP URLs appearing in the crlDistributionPoints extension of unexpired certificates issued by the CA. This requirement applies even when only a single full CRL is used.

CCADB participants are encouraged to review the updated policy in full and assess any necessary updates to their practices and disclosures.

If you have any questions or feedback, please raise them through the appropriate CCADB support or CCADB public discussion channels.

Regards,
Ben Wilson
CCADB Steering Committee