Thanks for starting this discussion. As an additional note, the Apple Root Program Policy states: "CA providers must strictly adhere to their Certificate Policy (CP) and/or Certification Practices Statement (CPS) document(s) as disclosed within the CCADB (and not marked as “Deleted”). Note: This extends to all policy documents the CA provider publishes in relation to its CAs included in the Apple Root Program, such as TSPS documents.”
The parenthetical in the first sentence is intended to provide some clarity around which CP/CPS documents are considered authoritative when disclosed to the CCADB. If a non-authoritative CP/CPS is not marked as “Deleted”, then it’s difficult to ascertain with a high degree of confidence and consistency across the corpus of CAs which CP/CPS is authoritative for a given CA. Ideally, a Root CA should only have at most either: 1. One CP and one CPS; or 2. One CP/CPS at any given time. With multi-purpose Root CAs, this can be a bit more complex, but I think this would be a good target. I think it’s worth noting that 1 & 3 are, I believe, mostly the same; that is, Policy Documents marked as “Deleted” in the CCADB are not removed from the database. Regarding the “change log” sections of Policy Documents, I agree there’s not much specific guidance on what is desired or expected here. Both a summary of the changes and a list of sections in which changes occurred seem particularly valuable to me; are there any other suggestions or ideas from the community on this? Cheers! -Clint > On Aug 16, 2024, at 4:25 AM, Mike Shaver <[email protected]> wrote: > > On Fri, Aug 16, 2024 at 7:10 AM 'Martijn Katerbarg' via CCADB Public > <[email protected] <mailto:[email protected]>> wrote: >> What update are root stores / CCADB expecting out of these options: >> >> >> >> The new CPS should be added, and the old CPS should be deleted as it is no >> longer in effect for new certificate issuance. >> The new CPS should be added, but the old CPS should be kept in place as long >> as there are unexpired certificates under its policy. >> The new CPS should be added. Older entries should be kept indefinitely to >> serve as an archive overview. > As a community member, I would prefer 3, but would want at least 2 as long as > there are unexpired certs that are trusted by currently-supported browsers or > operating systems. > > I think the most common practice is 1, though? > > A related question: what, if any, information should CAs provide about > material changes between adjacent CPS versions? There is a wide range of > practices here, but I think at least a summary of the changes or a list of > affected sections would be helpful in a number of ways. > > Mike > >> >> > > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqsV%2BOdGz3DZMy2ZPOiXo64DBDW7AB--ctauEBafJFE1uw%40mail.gmail.com > > <https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZqsV%2BOdGz3DZMy2ZPOiXo64DBDW7AB--ctauEBafJFE1uw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/915D2153-57F7-4340-A280-AAF3FAF998C8%40apple.com.
smime.p7s
Description: S/MIME cryptographic signature
