All, We’ve had an internal discussion at Sectigo regarding which information relating to CP and CPS documents needs to be kept within CCADB, and which old information must be removed.
We’re opting to open a public thread for this as we’re not only interested in seeing the point of view of the CCADB members, but other CAs and the community as well. At present, we see different CAs taking different approaches. Let us start by quoting a few requirements, from CCADB and root stores: The Chrome Root Program states (https://www.chromium.org/Home/chromium-security/root-ca-policy/#2-chrome-root-program-participant-policies): "The Chrome Root Program considers CA policy documentation in the CCADB to be authoritative." The CCADB Policy states (https://www.ccadb.org/policy#5-policies-audits-and-practices): "The URLs to such CPs, CPSes and audits, and any metadata about them such as the name of the auditor or the date of the audit, must be updated as new information becomes available." Our questions here boil down to (1) What is the scope of “updated”? and (2) What does it mean for a superseded CP or CPS document whose details have not been removed from CCADB “to be authoritative”? For CP and CPS information, it’s possible (and sometimes even necessary) to add multiple entries. These entries can however also be removed at a later time. Consider the regular occurrence of a CA publishing a CPS update: What update are root stores / CCADB expecting out of these options: * The new CPS should be added, and the old CPS should be deleted as it is no longer in effect for new certificate issuance. * The new CPS should be added, but the old CPS should be kept in place as long as there are unexpired certificates under its policy. * The new CPS should be added. Older entries should be kept indefinitely to serve as an archive overview. Or, would any of these 3 options currently be seen as a valid practice? Regards, Martijn -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/SA1PR17MB65036E72E1BCC94752CB7B53E3812%40SA1PR17MB6503.namprd17.prod.outlook.com.
