Hello everyone, As part of our ongoing efforts to improve transparency, consistency, and access to information for root certificate inclusion requests, the CCADB Steering Committee is proposing some changes to parts of the CCADB Root Inclusion Public Discussion <https://www.ccadb.org/cas/public-group#root-inclusion-public-discussion> process. Specifically, we want to adjust the messaging that begins the 6-week public discussion period.
What is changing Historically, announcement emails have included a long, manually copied outline of case data from the CCADB. This has typically included organization details, certificate fingerprints, audit statements, test websites, and incident summaries presented inline in the email body. Going forward, announcement emails will be more consistent, and will primarily: - Provide some specifics from the CCADB Root Inclusion Request case; - Provide a direct link to a new public printable case report (example <https://ccadb.my.salesforce-sites.com/ccadb/CasePrintViewAllPublic?recordId=5001J00000dw3JdQAI> ); - Provide a link to the entirety of the CA’s Incident Report history from Bugzilla; and - Highlight any additional information needed to orient reviewers to the case. The case details will now be seen in the CCADB’s printable public report, rather than duplicated in the email itself. We encourage reviewers to use the printable CCADB report as the primary reference when evaluating open root inclusion cases and when submitting feedback during the discussion period. What the new printable report includes The new CCADB printable public report consolidates and structures all case information under clear subject headings, including (but not limited to): - Case and CA Owner information - Root stores applied to (Apple, Mozilla, Google Chrome, Microsoft) - CA-provided value statements and lifecycle information (per root program) - Root certificate and hierarchy details - Certificate metadata (fingerprints, validity, key information) - CRL and revocation information - Intended use cases and test websites (if applicable) - Most recent audit statements and supporting documentation - In effect non-audit documents (i.e., policy documentation) - Root-program-specific application status and constraints This format allows reviewers to see the same data root programs rely on, organized in a consistent and navigable way, without the risk of omissions or transcription errors. Why this change is being made - Reduces duplication and manual copying of CCADB data - Improves consistency across root inclusion announcements - Ensures community reviewers are always looking at the most current information - Makes announcements easier to read while preserving transparency What is not changing - The 6-week public comment period remains unchanged - Community review and discussion remain a critical part of the root inclusion process - All information required for meaningful review continues to be publicly available How you can help 1. Are there additional, publicly available disclosures or other information that should be included in future root inclusion public discussion announcements? Some examples are: (1) more information about CA ownership and control structures, and (2) clearer context about a CA owner’s intended scope or community served. See e.g., this past <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/RJCJqWme4BM/m/TBA3Pf0HAQAJ> discussion and also Mozilla’s Root Inclusion Considerations <https://wiki.mozilla.org/CA/Root_Inclusion_Considerations>. 2. Is there any information that we provide today during the root inclusion process that does not materially contribute to the community’s understanding of a root inclusion request, or that may be redundant with other sources, and that could reasonably be removed or streamlined to improve clarity and focus in public discussion announcements? Suggestions submitted over the next two weeks (through 2/20) will be greatly appreciated. If you have questions about the new report format or encounter any issues accessing the public views, please let us know. Thank you for your continued participation and feedback. Best regards, Ben Wilson On behalf of the CCADB Steering Committee -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtabh9uAHuO4bwD8TGPUt0agibnrOio-rqPpcvaL5Kijzpw%40mail.gmail.com.
