CCADB Policy Version 1.3.0 Pre-Release Notification

425 views
Skip to first unread message

Chris Clements

unread,
Oct 11, 2023, 9:49:28 AM10/11/23
to public

TL;DR: The CCADB Steering Committee will soon update the CCADB policy to Version 1.3.0 [1], which consolidates several requirements that currently exist in separate Root Store policies. The CCADB Steering Committee provides this pre-release draft and requests that any concerns be expressed by the CA community before October 25, 2023.


All,


The CCADB policy [2] will soon be updated to Version 1.3.0 [1]. This update collects some currently disparate requirements from Root Store policies and adds them to the CCADB policy. Some Root Stores may update their individual policies in the future to remove duplicative requirements. 


In general, this update:


  1. adds clarifying language to “Section 5. Policies, Audits, and Practices”;

  2. states CA Owners must disclose at least an authoritative English version of policy documents to the CCADB;

  3. adds Audit Team Qualifications that are provided to the CCADB; and

  4. (if required by a Root Store policy) defines the submission requirements for the CCADB Self-Assessment.


The specific changes can be viewed in this PR [1]. This update does not intend to create any new requirements for CA Owners included in the CCADB, rather it intends to combine some existing requirements into a single source to simplify compliance activities.


The Steering Committee intends for this version of the policy to become effective on October 25, 2023, and we plan to announce the release with a separate communication. We appreciate considerations from the CA community, either in the PR or directly in this thread before October 25, 2023


Thank you,

-Chris, on behalf of the CCADB Steering Committee


[1] https://github.com/mozilla/www.ccadb.org/pull/138/files

[2] https://www.ccadb.org/policy

Wendy Brown - QT3LB-C

unread,
Oct 11, 2023, 10:33:25 AM10/11/23
to Chris Clements, public
A question about the following statement:
If an annual CCADB self-assessment is required by the individual Store policy, a single self-assessment may cover multiple CAs operating under both the same CP and CPS(s), or combined CP/CPS. CAs not operated under the same CP and CPS(s) or combined CP/CPS must be covered in a separate self-assessment.
Can a single self-assessment be used if all CAs operate under the same CP, but there are different CPS documents for the Root CA vs the Subordinate CAs since they issue different types of certificates, (ie the Root only issues CA certs and required infrastructure certificates, while the Subordinate CAs issue TLS subscriber certificates and any required infrastructure certificates so the practices might be different from the Root)

I can't quite tell if that is what is meant by including the (s) after CPS.

thanks,

Wendy


Wendy Brown

Supporting GSA

FPKIMA Technical Liaison

Protiviti Government Services

703-965-2990 (cell)


--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCpXwWVG-fJ5xd%3D_Qn5RCTibgy63PBfGs9VVYpATf6t6A%40mail.gmail.com.

Chris Clements

unread,
Oct 11, 2023, 1:01:11 PM10/11/23
to Wendy Brown - QT3LB-C, public

Hi Wendy,


The scope of each self-assessment is intended to represent the set of CAs operating under the same policies (i.e., the same CP/CPS combination, or a combined CP/CPS document). 


To elaborate and illustrate, if we assume the following scenario:


  • Root “ABC”:
    • Operates under CP #1
    • Operates under CPS #1

  • Subordinate CAs “123" and “456”:
    • Operate under CP #1
    • Operate under CPS #2

  • Subordinate CA “789”:
    • Operates under CP #1
    • Operates under CPS #3

We would expect:

  • Self-Assessment #1:

    • Policies Considered: CP #1, CPS #1

    • CAs in scope: “ABC”

    • CAs not in scope (i.e., covered under another assessment): “123”, “456”, “789”


  • Self-Assessment #2:

    • Policies Considered: CP #1, CPS #2

    • CAs in scope: “123”, “456”

    • CAs not in scope (i.e., covered under another assessment): “ABC", “789”


  • Self-Assessment #3:

    • Policies Considered: CP #1, CPS #3

    • CAs in scope: “789”

    • CAs not in scope (i.e., covered under another assessment): “ABC", “123", “456”


The “(s)” in “operating under both the same CP and CPS(s)” is intended to describe scenarios where a single CA is operated under multiple CPS documents. For example some CAs operate under a CPS and a Trust Service Practice Statement (which today does not have a separate designation in the CCADB and is sometimes identified as a CPS document type).


I hope this helps.


Thanks
-Chris

Wendy Brown - QT3LB-C

unread,
Oct 11, 2023, 1:17:06 PM10/11/23
to Chris Clements, public
I would like to suggest that a single assessment might be appropriate using your examples for the following CAs all operated by the same organization:
  • Root “ABC”:
    • Operates under CP #1
    • Operates under CPS #1

  • Subordinate CAs “123" and “456”:
    • Operate under CP #1
    • Operate under CPS #2

The differences in practice based on whether a CA is a root or subordinate may be easier to document in 2 different CPS documents, but the PKI as a whole should be under a single self-assessment in order to see the entire picture.

thanks,

Wendy


Wendy Brown

Supporting GSA

FPKIMA Technical Liaison

Protiviti Government Services

703-965-2990 (cell)

Reply all
Reply to author
Forward
0 new messages