Clarification on CCADB Section 5.2: Incident Disclosure Across Mixed Subordinate CA Audit Scopes

132 views
Skip to first unread message

大野文彰(ONO Fumiaki)

unread,
Jun 30, 2026, 3:36:06 AM (9 days ago) Jun 30
to CCADB Public

Hello,

We are seeking clarification on CCADB Policy Section 5.2 "Audit Statement Content" ( https://www.ccadb.org/policy#52-audit-statement-content ), specifically regarding how incident disclosures should be presented in audit statements when both audited subordinate CAs and externally-operated subordinate CAs exist within the same root CA hierarchy.

As a starting point, we intend to separate the presentation of Bugzilla-reported incidents into two distinct categories within the root CA owners audit statement:

  • Incidents related to subordinate CAs that are included in the scope of the root CA owners audit statement
  • Incidents related to externally-operated subordinate CAs that maintain independent audit statements and are not included in the root CA owners audit scope

This separation is intended to clearly distinguish audit scope, available audit evidence, and verification responsibility, while ensuring that all incidents disclosed by SECOM in Bugzilla are fully accounted for.

Under this presentation model, we are considering the following approach:

For subordinate CAs included in the root CA owners audit scope, the auditor will verify not only the existence of incidents but also the status and appropriateness of the Root Cause analysis and corresponding Action Items.

For externally-operated subordinate CAs outside the scope of the root CA owners audit, the auditor will rely on the independent audit statement issued for the subordinate CA. In such cases, that audit is expected to cover the Root Cause analysis and Action Items relating to both the externally-operated subordinate CAs responsibilities and any relevant responsibilities attributable to the root CA owner.

However, within the root CA owners audit statement, the extent of verification for externally operated subordinate CAs may differ depending on the availability of audit evidence.

In such cases, verification of the Root Cause analysis and corresponding Action Items is performed based on available evidence within the root CA owners audit, while detailed verification is expected to be performed as part of the audit of the externally operated subordinate CA, in accordance with its independent audit scope.

This approach does not change the underlying responsibility model, but reflects how audit procedures are applied based on scope and available evidence.

In this way, all Bugzilla incidents disclosed by SECOM are included, while audit evidence and verification responsibilities are separated according to audit scope.

Additionally, even in cases where incidents related to externally-operated subordinate CAs are already covered by the subordinate CAs independent audit statement, we consider that including those incidents in the root CA owners audit statement (i.e., duplicating the disclosure) would not present compliance concerns and may enhance overall transparency.

We would appreciate the communitys feedback on the following specific points:
1. Whether separating incident disclosure based on audit scope (i.e., in-scope vs. out-of-scope subordinate CAs) is acceptable under CCADB Policy Section 5.2
2. Whether including incidents related to externally operated subordinate CAs in the root CA owner
s audit statement, even when those incidents are already covered in the subordinate CAs independent audit statement (i.e., duplication of disclosure), is considered acceptable or preferred from a compliance and transparency perspective.

Best regards,

ONO Fumiaki /
大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.

Ben Wilson

unread,
Jul 1, 2026, 2:00:48 AM (8 days ago) Jul 1
to 大野文彰(ONO Fumiaki), CCADB Public

Dear Ono-san,

Thank you for your questions.

Here is a brief response limited to the specific questions you raised. No opinion is expressed regarding any other content or explanation provided in your email.

1. Is it acceptable to separate incident disclosures based on audit scope (i.e., in-scope vs. out-of-scope subordinate CAs)?

Response: Yes. This is acceptable, provided that all required incidents are disclosed and the presentation clearly identifies which audit statement addresses each incident.

2. Is it acceptable to include incidents related to externally operated subordinate CAs in the Root CA Owner's audit statement, even when those incidents are already covered in the subordinate CA's independent audit statement?

Response: Yes. The CCADB Policy does not prohibit duplicate disclosure. Including an incident in more than one audit statement is acceptable and may improve clarity and transparency.

Sincerely yours,

Ben Wilson

CCADB Support


--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/57b50af4-9a0d-4078-ac59-4ec3b16a7450n%40ccadb.org.

大野文彰(ONO Fumiaki)

unread,
Jul 1, 2026, 1:25:22 PM (8 days ago) Jul 1
to CCADB Public, Ben Wilson, CCADB Public, 大野文彰(ONO Fumiaki)
Dear Ben-san,

Thank you for your prompt and clear response.

Your clarification is very helpful and provides valuable guidance for how we present incident disclosures in our audit statements.

We understand from your response that:

- Incident disclosures may be separated according to audit scope, provided that all required incidents are disclosed and the applicable audit statement for each incident is clearly identified.
- Duplicate disclosure of incidents across multiple audit statements is acceptable and may enhance transparency.

We appreciate your guidance and the time taken to clarify these points.


Best regards,

ONO Fumiaki / 大野 文彰
(Japanese name order: family name first, in uppercase)
SECOM Trust Systems CO., LTD.


2026年7月1日水曜日 15:00:48 UTC+9 Ben Wilson:
Reply all
Reply to author
Forward
0 new messages