TL;DR: The CCADB Steering Committee will soon update the CCADB policy to Version 1.3.0 [1], which consolidates several requirements that currently exist in separate Root Store policies. The CCADB Steering Committee provides this pre-release draft and requests that any concerns be expressed by the CA community before October 25, 2023.
All,
The CCADB policy [2] will soon be updated to Version 1.3.0 [1]. This update collects some currently disparate requirements from Root Store policies and adds them to the CCADB policy. Some Root Stores may update their individual policies in the future to remove duplicative requirements.
In general, this update:
adds clarifying language to “Section 5. Policies, Audits, and Practices”;
states CA Owners must disclose at least an authoritative English version of policy documents to the CCADB;
adds Audit Team Qualifications that are provided to the CCADB; and
(if required by a Root Store policy) defines the submission requirements for the CCADB Self-Assessment.
The specific changes can be viewed in this PR [1]. This update does not intend to create any new requirements for CA Owners included in the CCADB, rather it intends to combine some existing requirements into a single source to simplify compliance activities.
The Steering Committee intends for this version of the policy to become effective on October 25, 2023, and we plan to announce the release with a separate communication. We appreciate considerations from the CA community, either in the PR or directly in this thread before October 25, 2023.
Thank you,
-Chris, on behalf of the CCADB Steering Committee
Can a single self-assessment be used if all CAs operate under the same CP, but there are different CPS documents for the Root CA vs the Subordinate CAs since they issue different types of certificates, (ie the Root only issues CA certs and required infrastructure certificates, while the Subordinate CAs issue TLS subscriber certificates and any required infrastructure certificates so the practices might be different from the Root)If an annual CCADB self-assessment is required by the individual Store policy, a single self-assessment may cover multiple CAs operating under both the same CP and CPS(s), or combined CP/CPS. CAs not operated under the same CP and CPS(s) or combined CP/CPS must be covered in a separate self-assessment.
Wendy
Wendy Brown
Supporting GSA
FPKIMA Technical Liaison
Protiviti Government Services
703-965-2990 (cell)--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCpXwWVG-fJ5xd%3D_Qn5RCTibgy63PBfGs9VVYpATf6t6A%40mail.gmail.com.
Hi Wendy,
The scope of each self-assessment is intended to represent the set of CAs operating under the same policies (i.e., the same CP/CPS combination, or a combined CP/CPS document).
To elaborate and illustrate, if we assume the following scenario:
We would expect:
Self-Assessment #1:
Policies Considered: CP #1, CPS #1
CAs in scope: “ABC”
CAs not in scope (i.e., covered under another assessment): “123”, “456”, “789”
Self-Assessment #2:
Policies Considered: CP #1, CPS #2
CAs in scope: “123”, “456”
CAs not in scope (i.e., covered under another assessment): “ABC", “789”
Self-Assessment #3:
Policies Considered: CP #1, CPS #3
CAs in scope: “789”
CAs not in scope (i.e., covered under another assessment): “ABC", “123", “456”
The “(s)” in “operating under both the same CP and CPS(s)” is intended to describe scenarios where a single CA is operated under multiple CPS documents. For example some CAs operate under a CPS and a Trust Service Practice Statement (which today does not have a separate designation in the CCADB and is sometimes identified as a CPS document type).
I hope this helps.
- Root “ABC”:
- Operates under CP #1
- Operates under CPS #1
- Subordinate CAs “123" and “456”:
- Operate under CP #1
- Operate under CPS #2
Wendy
Wendy Brown
Supporting GSA
FPKIMA Technical Liaison
Protiviti Government Services
703-965-2990 (cell)