Hi Martijn, I think the middle option is the best choice, and the first bulleted item is a second-best choice, although any of them are appropriate. CAs themselves are required by Item 7 of Section 3.3 of Mozilla Root Store Policy <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#33-cps-and-cpses> to maintain an archive of CPs and CPSes. They cannot rely on the CCADB for maintaining records of historic CPs and CPSes. It has been a very common practice to remove/delete outdated CPs and CPSes from being listed in the CCADB.
Thanks, Ben On Fri, Aug 16, 2024 at 12:10 PM 'Martijn Katerbarg' via CCADB Public < [email protected]> wrote: > All, > > > > We’ve had an internal discussion at Sectigo regarding which information > relating to CP and CPS documents needs to be kept within CCADB, and which > old information must be removed. > > > > We’re opting to open a public thread for this as we’re not only interested > in seeing the point of view of the CCADB members, but other CAs and the > community as well. At present, we see different CAs taking different > approaches. > > > > Let us start by quoting a few requirements, from CCADB and root stores: > > > > The Chrome Root Program states ( > https://www.chromium.org/Home/chromium-security/root-ca-policy/#2-chrome-root-program-participant-policies): > "The Chrome Root Program considers CA policy documentation in the CCADB to > be authoritative." > > > > The CCADB Policy states ( > https://www.ccadb.org/policy#5-policies-audits-and-practices): "The URLs > to such CPs, CPSes and audits, and any metadata about them such as the name > of the auditor or the date of the audit, must be updated as new information > becomes available." > > > > Our questions here boil down to (1) What is the scope of “updated”? and > (2) What does it mean for a superseded CP or CPS document whose details > have not been removed from CCADB “to be authoritative”? > > > > For CP and CPS information, it’s possible (and sometimes even necessary) > to add multiple entries. These entries can however also be removed at a > later time. Consider the regular occurrence of a CA publishing a CPS > update: What update are root stores / CCADB expecting out of these options: > > > > - The new CPS should be added, and the old CPS should be deleted as it > is no longer in effect for new certificate issuance. > - The new CPS should be added, but the old CPS should be kept in place > as long as there are unexpired certificates under its policy. > - The new CPS should be added. Older entries should be kept > indefinitely to serve as an archive overview. > > > > Or, would any of these 3 options currently be seen as a valid practice? > > > > Regards, > > Martijn > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/SA1PR17MB65036E72E1BCC94752CB7B53E3812%40SA1PR17MB6503.namprd17.prod.outlook.com > <https://groups.google.com/a/ccadb.org/d/msgid/public/SA1PR17MB65036E72E1BCC94752CB7B53E3812%40SA1PR17MB6503.namprd17.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaaKYKMavAZnycD5cet%3DjQ%3D%2BpmRVWhE9exOwnSY0q_MWrg%40mail.gmail.com.
