I would like to suggest that a single assessment might be appropriate using
your examples for the following CAs all operated by the same organization:
- Root “ABC”:
- Operates under CP #1
- Operates under CPS #1
- Subordinate CAs “123" and “456”:
- Operate under CP #1
- Operate under CPS #2
The differences in practice based on whether a CA is a root or subordinate
may be easier to document in 2 different CPS documents, but the PKI as a
whole should be under a single self-assessment in order to see the entire
picture.
thanks,
Wendy
Wendy Brown
Supporting GSA
FPKIMA Technical Liaison
Protiviti Government Services
703-965-2990 (cell)
On Wed, Oct 11, 2023 at 1:01 PM Chris Clements <[email protected]> wrote:
> Hi Wendy,
>
>
> The scope of each self-assessment is intended to represent the set of CAs
> operating under the same policies (i.e., the same CP/CPS combination, or a
> combined CP/CPS document).
>
>
> To elaborate and illustrate, if we assume the following scenario:
>
>
> - Root “ABC”:
> - Operates under CP #1
> - Operates under CPS #1
>
>
>
> - Subordinate CAs “123" and “456”:
> - Operate under CP #1
> - Operate under CPS #2
>
>
>
> - Subordinate CA “789”:
> - Operates under CP #1
> - Operates under CPS #3
>
>
> We would expect:
>
> -
>
> Self-Assessment #1:
> -
>
> Policies Considered: CP #1, CPS #1
> -
>
> CAs in scope: “ABC”
> -
>
> CAs *not* in scope (i.e., covered under another assessment): “123”,
> “456”, “789”
>
>
>
> -
>
> Self-Assessment #2:
> -
>
> Policies Considered: CP #1, CPS #2
> -
>
> CAs in scope: “123”, “456”
> -
>
> CAs *not* in scope (i.e., covered under another assessment): “ABC",
> “789”
>
>
>
> -
>
> Self-Assessment #3:
> -
>
> Policies Considered: CP #1, CPS #3
> -
>
> CAs in scope: “789”
> -
>
> CAs *not* in scope (i.e., covered under another assessment): “ABC",
> “123", “456”
>
>
> The “(s)” in “operating under both the same CP and CPS(s)” is intended to
> describe scenarios where a single CA is operated under multiple CPS
> documents. For example some CAs operate under a CPS and a Trust Service
> Practice Statement (which today does not have a separate designation in the
> CCADB and is sometimes identified as a CPS document type).
>
> I hope this helps.
>
> Thanks
> -Chris
>
> On Wed, Oct 11, 2023 at 10:33 AM Wendy Brown - QT3LB-C <
> [email protected]> wrote:
>
>> A question about the following statement:
>>
>> If an annual CCADB self-assessment is required by the individual Store
>> policy, a single self-assessment may cover multiple CAs operating under
>> both the same CP and CPS(s), or combined CP/CPS. CAs not operated under the
>> same CP and CPS(s) or combined CP/CPS must be covered in a separate
>> self-assessment.
>>
>> Can a single self-assessment be used if all CAs operate under the same
>> CP, but there are different CPS documents for the Root CA vs the
>> Subordinate CAs since they issue different types of certificates, (ie the
>> Root only issues CA certs and required infrastructure certificates, while
>> the Subordinate CAs issue TLS subscriber certificates and any required
>> infrastructure certificates so the practices might be different from the
>> Root)
>>
>> I can't quite tell if that is what is meant by including the (s) after
>> CPS.
>>
>> thanks,
>>
>> Wendy
>>
>>
>> Wendy Brown
>>
>> Supporting GSA
>>
>> FPKIMA Technical Liaison
>>
>> Protiviti Government Services
>> 703-965-2990 <(703)%20965-2990> (cell)
>>
>>
>> On Wed, Oct 11, 2023 at 9:49 AM 'Chris Clements' via CCADB Public <
>> [email protected]> wrote:
>>
>>> TL;DR: The CCADB Steering Committee will soon update the CCADB policy
>>> to Version 1.3.0
>>> <https://github.com/mozilla/www.ccadb.org/pull/138/files> [1], which
>>> consolidates several requirements that currently exist in separate Root
>>> Store policies. The CCADB Steering Committee provides this pre-release
>>> draft and requests that any concerns be expressed by the CA community before
>>> October 25, 2023.
>>>
>>> All,
>>>
>>> The CCADB policy <https://www.ccadb.org/policy> [2] will soon be
>>> updated to Version 1.3.0 [1]. This update collects some currently disparate
>>> requirements from Root Store policies and adds them to the CCADB policy.
>>> Some Root Stores may update their individual policies in the future to
>>> remove duplicative requirements.
>>>
>>> In general, this update:
>>>
>>>
>>> 1.
>>>
>>> adds clarifying language to “Section 5. Policies, Audits, and
>>> Practices”;
>>> 2.
>>>
>>> states CA Owners must disclose at least an authoritative English
>>> version of policy documents to the CCADB;
>>> 3.
>>>
>>> adds Audit Team Qualifications that are provided to the CCADB; and
>>> 4.
>>>
>>> (if required by a Root Store policy) defines the submission
>>> requirements for the CCADB Self-Assessment.
>>>
>>>
>>> The specific changes can be viewed in this PR [1]. This update does not
>>> intend to create any new requirements for CA Owners included in the CCADB,
>>> rather it intends to combine some existing requirements into a single
>>> source to simplify compliance activities.
>>>
>>> The Steering Committee intends for this version of the policy to become
>>> effective on October 25, 2023, and we plan to announce the release with a
>>> separate communication. We appreciate considerations from the CA community,
>>> either in the PR or directly in this thread before October 25, 2023.
>>>
>>> Thank you,
>>>
>>> -Chris, on behalf of the CCADB Steering Committee
>>>
>>> [1] https://github.com/mozilla/www.ccadb.org/pull/138/files
>>>
>>> [2] https://www.ccadb.org/policy
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "CCADB Public" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCpXwWVG-fJ5xd%3D_Qn5RCTibgy63PBfGs9VVYpATf6t6A%40mail.gmail.com
>>> <https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCpXwWVG-fJ5xd%3D_Qn5RCTibgy63PBfGs9VVYpATf6t6A%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/ccadb.org/d/msgid/public/CADw9x2uSXPES1BdKU-kPVkDF00CFJzpQ1uXzRU_C-3f-4wD5sw%40mail.gmail.com.
