Hi everyone, Following the set of updates made to the CCADB Policy <https://www.ccadb.org/policy> last June <https://groups.google.com/a/ccadb.org/g/public/c/J8aVHEWrMYs/m/bFM2shcrBgAJ>, the CCADB Steering Committee has collaborated on a set of updates to further clarify Root Store Operator expectations related to CCADB disclosures.
Updates are also planned for the CCADB Incident Reporting Guidelines <https://www.ccadb.org/cas/incident-report> (IRGs). The set of proposed updates is available here <https://github.com/mozilla/www.ccadb.org/pull/214> (“clean” policy <https://github.com/mozilla/www.ccadb.org/blob/policy_2-1/policy.md> / IRG <https://github.com/mozilla/www.ccadb.org/blob/policy_2-1/cas/incident-report.md> ). Change summary: Policy - Clarify expectations for subordinate CA ownership disclosure. - Effective September 15, 2026, require additional disclosures within PKI policy documents to more clearly establish the scope and applicability of policy documents. - Clarify audit expectations for CAs serving time-stamping use cases. - Clarify expectations related to explanatory letter disclosures for delayed audit statements. - Encourage Qualified Auditors to review public incident reports and offer an opinion on incident handling and remediation. - For audit periods beginning on or after January 15, 2027, audit statements must disclose sampling methodologies. - Clarify CRL disclosure expectations. Specifically, this policy update considers a new field (i.e., "All Full CRL URIs for This Hierarchy") being added to the CCADB that will expect a a properly formatted JSON array for the complete set of distinct HTTP URLs appearing in the `crlDistributionPoints` extension of the unexpired certificates issued by that CA. CA Owners can expect separate standard CCADB Enhancement Request communications regarding the deployment of this field, which will occur before the updated policy becomes effective. IRGs - Clarify that audit findings must be the subject of an incident report. - Describe how Qualified Auditors can be involved in the incident reporting process. - Highlight that CA Owners should request a nextUpdate date “whiteboard” label to align with the soonest Action Item. - Highlight how CA Owners may add additional data fields to incident report appendices. These proposals should not be considered “final”, but instead a “work in-progress” that we hope to enhance through community contributions. We welcome community feedback on these proposed updates and recommendations by March 1, 2026. Please share your thoughts by replying to this email or, preferably, by suggesting edits directly on GitHub. Thank you, Ryan (on behalf of the CCADB Steering Committee) -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O88LBdGN4p06JR4RWdPdHAAt%2BNYAb879a_wS1LqUxbgKg%40mail.gmail.com.
