Hello Ryan,
We would like to inquire about the "Can Auditors participate in the reporting process?" field being added to the Incident Reporting Guidelines (IRGs). Could you please confirm if the "auditor participation" required for this field is satisfied by complying with the following new requirement under CCADB Policy "5.2 Audit Statement Content"? Specifically, we understand this to mean including the auditor's review of incident reports in the annual audit statement as described below: 13. All incidents disclosed by the CA Owner, or reported by a third party, and all findings reported by an auditor, that, at any time during the audit period, occurred, were open in Bugzilla, or were reported to a Root Store Operator. For each, auditors SHOULD review the publicly-disclosed incident reports for consistency with audit evidence obtained and indicate whether (a) the scope, impact, and root cause are accurately and fairly described; and whether (b) the corrective actions described by the CA Owner are aligned with the factors that led to the incident and are intended to mitigate the risks associated with the identified root cause(s). If our understanding is incorrect, we would appreciate it if you could provide further clarification on what is expected for this requirement. Best regards, Jun, Cybertrust Japan 2026年1月24日土曜日 5:48:22 UTC+9 Ryan Dickson: > Hi everyone, > > Following the set of updates made to the CCADB Policy > <https://www.ccadb.org/policy> last June > <https://groups.google.com/a/ccadb.org/g/public/c/J8aVHEWrMYs/m/bFM2shcrBgAJ>, > > the CCADB Steering Committee has collaborated on a set of updates to > further clarify Root Store Operator expectations related to CCADB > disclosures. > > Updates are also planned for the CCADB Incident Reporting Guidelines > <https://www.ccadb.org/cas/incident-report> (IRGs). > > The set of proposed updates is available here > <https://github.com/mozilla/www.ccadb.org/pull/214> (“clean” policy > <https://github.com/mozilla/www.ccadb.org/blob/policy_2-1/policy.md> / IRG > <https://github.com/mozilla/www.ccadb.org/blob/policy_2-1/cas/incident-report.md> > ). > > Change summary: > > Policy > > - > > Clarify expectations for subordinate CA ownership disclosure. > - > > Effective September 15, 2026, require additional disclosures within > PKI policy documents to more clearly establish the scope and applicability > of policy documents. > - > > Clarify audit expectations for CAs serving time-stamping use cases. > - > > Clarify expectations related to explanatory letter disclosures for > delayed audit statements. > - > > Encourage Qualified Auditors to review public incident reports and > offer an opinion on incident handling and remediation. > - > > For audit periods beginning on or after January 15, 2027, audit > statements must disclose sampling methodologies. > - > > Clarify CRL disclosure expectations. Specifically, this policy update > considers a new field (i.e., "All Full CRL URIs for This Hierarchy") being > added to the CCADB that will expect a a properly formatted JSON array for > the complete set of distinct HTTP URLs appearing in the > `crlDistributionPoints` extension of the unexpired certificates issued by > that CA. CA Owners can expect separate standard CCADB Enhancement Request > communications regarding the deployment of this field, which will occur > before the updated policy becomes effective. > > > IRGs > > - > > Clarify that audit findings must be the subject of an incident report. > - > > Describe how Qualified Auditors can be involved in the incident > reporting process. > - > > Highlight that CA Owners should request a nextUpdate date “whiteboard” > label to align with the soonest Action Item. > - > > Highlight how CA Owners may add additional data fields to incident > report appendices. > > > > These proposals should not be considered “final”, but instead a “work > in-progress” that we hope to enhance through community contributions. We > welcome community feedback on these proposed updates and recommendations > by March 1, 2026. Please share your thoughts by replying to this email > or, preferably, by suggesting edits directly on GitHub. > > Thank you, > > Ryan (on behalf of the CCADB Steering Committee) > > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/3554b2aa-95c9-4f45-88d7-4555ca3b06dfn%40ccadb.org.
