Hi Rob, There will be three fields for "Last Updated Date" --one for CP, one for CPS, and one for CP/CPS. Ben
On Fri, Sep 20, 2024 at 3:24 AM 'Rob Stradling' via CCADB Public < [email protected]> wrote: > Thanks Clint, Chris et al. > > > On the Intermediate Certificate record, we will add the ability to > identify if the CP, CPS, or CP/CPS is the same as the parent record, rather > than only having the ability to identify “CP/CPS same as parent”, which is > today’s current state in the CCADB. > > Please could you also reflect this enhancement in > https://ccadb.my.salesforce-sites.com/ccadb/AllCertificateRecordsCSVFormatv2 > somehow? > > One further thought... > How are CA Owners expected to populate the single "CP/CPS Last Updated > Date" field on an Intermediate Certificate record when multiple > non-superseded policy documents are applicable, each of which could have > been updated on different dates? > Should "Last Updated Date" become a per-document field instead? > > ------------------------------ > *From:* 'Clint Wilson' via CCADB Public > *Sent:* Thursday, September 19, 2024 23:24 > *To:* public > *Cc:* Mike Shaver; Chris Clements; Dimitris Zacharopoulos (HARICA); Clint > Wilson > *Subject:* Re: Questions regarding which policy documentation to keep in > CCADB > > Hi All, > > The CCADB Steering Committee plans to move forward with introducing the > changes described below by Chris [1] into the production instance of the > CCADB. There are semi-related future enhancements we hope to make beyond > the scope of these near-term changes that we expect will further address > areas of inconsistency, confusion, and/or transparency that are currently > lacking. For now, if there are any final points of feedback folks would > like to make, please do so as soon as possible. > > Thank you! > -Clint > > [1] - > https://groups.google.com/a/ccadb.org/g/public/c/CIR6vB52Z-g/m/91ZZ3e9vCgAJ > > On Sep 6, 2024, at 2:01 PM, 'Clint Wilson' via CCADB Public < > [email protected]> wrote: > > In the context of the TLS and S/MIME Baseline Requirements, the cPSuri is > not required to point to the specific document(s) which govern the > certificate in which it may be found. The requirement is only that the > cPSuri contain a "HTTP or HTTPS URL for the Issuing CA's Certificate > Policies, Certification Practice Statement, Relying Party Agreement, or > other pointer to online policy information provided by the Issuing CA”. > > As far as I understand, CA/B Forum Guideline documents don’t require CAs > to maintain availability of CPs/CPSes which are not currently authoritative > for the issuance of new certificates. Root Programs do require maintenance > of such an archive [1] and the CCADB’s (alongside incorporating Root > Program Policies') requirement for disclosure of all CPs/CPSes [2] > effectively creates a secondary, consistently structured source of this > archive. In theory (and often in practice), the cPSuri should at minimum > point to a repository containing the archive of active and historical (but > still authoritative) CPs/CPSes, but it may be a substantial amount of > effort to identify the document(s) governing any given leaf certificate. > Part of the intent with the CCADB storing the effective date, and > superseded date in the future, is to make it a little bit easier for > relying and interested parties to find and validate that information — > hopefully improving the overall situation your (not naive, imo) question > highlights. > > It’s also worth pointing out that including the cPSuri is not recommended > and generally provides very little practical value. That could be changed > and improved, but given the current direction of managing CAs and their > policies at scale, I suspect such efforts may not be exceptionally fruitful. > > Cheers, > -Clint > > [1] - > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#33-cps-and-cpses > [2] - https://www.ccadb.org/policy#5-policies-audits-and-practices > > On Sep 5, 2024, at 12:45 PM, Mike Shaver <[email protected]> wrote: > > On Thu, Sep 5, 2024 at 3:23 PM 'Chris Clements' via CCADB Public < > [email protected]> wrote: > > Currently, we see some CA Owners using a URL with a specific version of > the document and others using a URL that points to where the latest version > of the document can be found. Both are acceptable. The POLICY DOCUMENTS > guide > <https://docs.google.com/document/d/1qAVihgbo7TuH3xqq2zbxhxHajQnJwbHUGEFf2VjxoZQ/edit#bookmark=id.gqczpewy5797> > states: > "If the link to your CA’s most current policy document remains constant, > then you can simply edit the document object to update the date, add policy > identifiers, update comments, and update the list of applicable root > certificates." > > > Naive question: if a policy document can change without the URL changing, > how does one find the policy under which a given certificate was issued? > Doesn't cpsUri have to point to the policy that governed the issuance of > the certificate? > > Mike > > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZquKwxKpJDfii7_ixs_zpZRqho9iuBp5-r9s_pgbLU9H2w%40mail.gmail.com > <https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZquKwxKpJDfii7_ixs_zpZRqho9iuBp5-r9s_pgbLU9H2w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/9C03D8B5-C6E1-4AA6-9BFF-471E33E4D119%40apple.com > <https://groups.google.com/a/ccadb.org/d/msgid/public/9C03D8B5-C6E1-4AA6-9BFF-471E33E4D119%40apple.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/067DEA69-2F04-4C52-B771-A2706FF8525E%40apple.com > <https://groups.google.com/a/ccadb.org/d/msgid/public/067DEA69-2F04-4C52-B771-A2706FF8525E%40apple.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/MW4PR17MB4729B42F59C16FEA6D600DF9AA6C2%40MW4PR17MB4729.namprd17.prod.outlook.com > <https://groups.google.com/a/ccadb.org/d/msgid/public/MW4PR17MB4729B42F59C16FEA6D600DF9AA6C2%40MW4PR17MB4729.namprd17.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaap37DuZfUFJAPzr96tEKK578NdvdeDUMnq%2BvMOyH99cg%40mail.gmail.com.
