Thanks, Trev. I care a lot about this topic and think it’s an important discussion for the ecosystem.
I put some thoughts on the bug (https://bugzilla.mozilla.org/show_bug.cgi?id=2009525) that frame how I’m thinking about CP/CPS structure and governance. I initially tried to reply here but realized I had to request access, so the bug seemed like the easiest place to respond in the moment. Happy to discuss any of those points here and hear other perspectives. I’d be especially curious to hear from auditors about how they are evaluating these documents in practice. How much specificity do they rely on in the CP/CPS itself versus interpreting incorporation by reference? That seems like a critical input to getting this right. Looking forward to the discussion. Ryan Hurst On Friday, February 13, 2026 at 11:53:40 AM UTC-8 Trevoli Ponds-White wrote: > Hello! > > We want to start a conversation about bringing more clarity and > consistency to expectations for CP/CPS content. We posted this here so > that non-CA/B F members can provide feedback and because we can think of > several ways to do it. An update to the Baseline Requirements, CCADB > policy update, or an update to one of the Root programs’ policies. > > This isn’t the first incident about CP/CPS content the community has had > but it’s a good place to start with for background > https://bugzilla.mozilla.org/show_bug.cgi?id=2009525. > > We have two proposals to start the discussion. If people have other > proposals or feedback about these, please share them. > > Proposal 1 – Update Section 2.2 of the Baseline Requirements > > Change the existing language: > > The CA SHALL publicly give effect to these Requirements and represent that > it will adhere to the latest published version. The CA MAY fulfill this > requirement by incorporating these Requirements directly into its > Certificate Policy and/or Certification Practice Statements or by > incorporating them by reference using a clause such as the following (which > MUST include a link to the official version of these Requirements): [Name > of CA] conforms to the current version of the Baseline Requirements for the > Issuance and Management of Publicly-Trusted TLS Server Certificates > published at https://www.cabforum.org. In the event of any inconsistency > between this document and those Requirements, those Requirements take > precedence over this document. > > > > To something like: > > > > The CA MUST publicly give effect to these Requirements and represent that > it will adhere to the latest published version. The CA MAY fulfill this > requirement by incorporating these Requirements by reference into its > Certificate > Policy and/or Certification Practice Statements. If the CA does this the > reference must be in Section 1.1 and MUST list which documents it is > referencing by title and must include the link to the document’s landing page > i.e. “Baseline Requirements for the Issuance and Management of > Publicly‐Trusted TLS Server Certificates > https://cabforum.org/working-groups/server/baseline-requirements/”. The > CA MAY also include the following in Section 1.1: “In the event of any > inconsistency between this document and those Requirements, those > Requirements take precedence over this document.” CAs that incorporate > requirements by reference SHOULD NOT include details about required > practices. CAs that incorporate requirements by reference MUST include > details in places where the referenced documents express optional > requirements i.e. “No stipulation, SHOULD, SHOULD NOT, MAY, optional. > > > > In practice this would result in, for example, Section 4.2.1 (for TLS > certs) CAs would have to describe if they reuse validation data but not > required items such as: “Applicant information MUST include, but not be > limited to, at least one Fully-Qualified Domain Name”. > > > > Proposal 2 – Adopt a style similar to Matter PKI by the Connectivity > Standards Alliance (CSA) > > When CA's submit a CPS to the CSA it is laid out where the requirement is > stated. Following that there is a spot for the CA response when required. > Example: > > 4.2 - Certificate Application Processing > It is the responsibility of the CA/RA to verify that the information in a > Certificate Application is accurate. > CA Response: <insert response> > > CA Response: > > Before issuing Matter Certificates, the CA verifies Vendor identity & > information through the following process: 1) Vendor requests a Distributed > Compliance Ledger (DCL) challenge to prove ownership of their DCL private > key; 2) The CA verifies the DCL challenge; 3) The CA retrieves Requester > data for the RAD and Certificate Application; 4) The CA verifies the > Vendor's information against a known database; 5) The CA generates the RAD > and Certificate Application with the verified data; 6) Vendor signs the RAD > and Certificate Application; and 7) The CA creates the Vendor for PAI > issuance. > > Given that we have been moving the CA/B F requirements in a direction > where we have greater specificity and less leeway we think this is a good > time to revisit more specific requirements for CP/CPS content as well. > > Thanks! > > Trevoli Ponds-White > > Amazon Trust Services > > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/375bc281-bc43-46f5-ba19-023cf7f3c6a1n%40ccadb.org.
