Hi All, The CCADB Steering Committee plans to move forward with introducing the changes described below by Chris [1] into the production instance of the CCADB. There are semi-related future enhancements we hope to make beyond the scope of these near-term changes that we expect will further address areas of inconsistency, confusion, and/or transparency that are currently lacking. For now, if there are any final points of feedback folks would like to make, please do so as soon as possible.
Thank you! -Clint [1] - https://groups.google.com/a/ccadb.org/g/public/c/CIR6vB52Z-g/m/91ZZ3e9vCgAJ > On Sep 6, 2024, at 2:01 PM, 'Clint Wilson' via CCADB Public > <[email protected]> wrote: > > In the context of the TLS and S/MIME Baseline Requirements, the cPSuri is not > required to point to the specific document(s) which govern the certificate in > which it may be found. The requirement is only that the cPSuri contain a > "HTTP or HTTPS URL for the Issuing CA's Certificate Policies, Certification > Practice Statement, Relying Party Agreement, or other pointer to online > policy information provided by the Issuing CA”. > > As far as I understand, CA/B Forum Guideline documents don’t require CAs to > maintain availability of CPs/CPSes which are not currently authoritative for > the issuance of new certificates. Root Programs do require maintenance of > such an archive [1] and the CCADB’s (alongside incorporating Root Program > Policies') requirement for disclosure of all CPs/CPSes [2] effectively > creates a secondary, consistently structured source of this archive. In > theory (and often in practice), the cPSuri should at minimum point to a > repository containing the archive of active and historical (but still > authoritative) CPs/CPSes, but it may be a substantial amount of effort to > identify the document(s) governing any given leaf certificate. Part of the > intent with the CCADB storing the effective date, and superseded date in the > future, is to make it a little bit easier for relying and interested parties > to find and validate that information — hopefully improving the overall > situation your (not naive, imo) question highlights. > > It’s also worth pointing out that including the cPSuri is not recommended and > generally provides very little practical value. That could be changed and > improved, but given the current direction of managing CAs and their policies > at scale, I suspect such efforts may not be exceptionally fruitful. > > Cheers, > -Clint > > [1] - > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#33-cps-and-cpses > [2] - https://www.ccadb.org/policy#5-policies-audits-and-practices > >> On Sep 5, 2024, at 12:45 PM, Mike Shaver <[email protected]> wrote: >> >> On Thu, Sep 5, 2024 at 3:23 PM 'Chris Clements' via CCADB Public >> <[email protected] <mailto:[email protected]>> wrote: >>> Currently, we see some CA Owners using a URL with a specific version of the >>> document and others using a URL that points to where the latest version of >>> the document can be found. Both are acceptable. The POLICY DOCUMENTS guide >>> <https://docs.google.com/document/d/1qAVihgbo7TuH3xqq2zbxhxHajQnJwbHUGEFf2VjxoZQ/edit#bookmark=id.gqczpewy5797> >>> states: "If the link to your CA’s most current policy document remains >>> constant, then you can simply edit the document object to update the date, >>> add policy identifiers, update comments, and update the list of applicable >>> root certificates." >> >> Naive question: if a policy document can change without the URL changing, >> how does one find the policy under which a given certificate was issued? >> Doesn't cpsUri have to point to the policy that governed the issuance of the >> certificate? >> >> Mike >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "CCADB Public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <mailto:[email protected]>. >> To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZquKwxKpJDfii7_ixs_zpZRqho9iuBp5-r9s_pgbLU9H2w%40mail.gmail.com >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZquKwxKpJDfii7_ixs_zpZRqho9iuBp5-r9s_pgbLU9H2w%40mail.gmail.com?utm_medium=email&utm_source=footer>. > > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/9C03D8B5-C6E1-4AA6-9BFF-471E33E4D119%40apple.com > > <https://groups.google.com/a/ccadb.org/d/msgid/public/9C03D8B5-C6E1-4AA6-9BFF-471E33E4D119%40apple.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/067DEA69-2F04-4C52-B771-A2706FF8525E%40apple.com.
smime.p7s
Description: S/MIME cryptographic signature
