Hi Jun, To clarify, the section “Can Auditors participate in the reporting process?” of the CCADB Incident Reporting Guidelines is not a requirement. Rather, it states that Auditors are encouraged to participate in the incident reporting process and a recent example is here <https://bugzilla.mozilla.org/show_bug.cgi?id=2011430#c11>. Section 5.2 of the CCADB Policy, as you identified, is a SHOULD statement and is relevant to the Audit Statement's content (i.e., the WebTrust Assurance Report or ETSI Audit Attestation Letter).
The two topics relate to Auditor participation but are distinct: one refers to participating in incident reports and the other refers to reviewing incident report outcomes. Thank you -Chris On Sun, Mar 1, 2026 at 11:51 AM 大倉惇 <[email protected]> wrote: > Hello Ryan, > > We would like to inquire about the "Can Auditors participate in the > reporting process?" field being added to the Incident Reporting Guidelines > (IRGs). > > Could you please confirm if the "auditor participation" required for this > field is satisfied by complying with the following new requirement under > CCADB Policy "5.2 Audit Statement Content"? Specifically, we understand > this to mean including the auditor's review of incident reports in the > annual audit statement as described below: > > 13. All incidents disclosed by the CA Owner, or reported by a third party, > and all findings reported by an auditor, that, at any time during the audit > period, occurred, were open in Bugzilla, or were reported to a Root Store > Operator. For each, auditors SHOULD review the publicly-disclosed incident > reports for consistency with audit evidence obtained and indicate whether > (a) the scope, impact, and root cause are accurately and fairly described; > and whether (b) the corrective actions described by the CA Owner are > aligned with the factors that led to the incident and are intended to > mitigate the risks associated with the identified root cause(s). > > If our understanding is incorrect, we would appreciate it if you could > provide further clarification on what is expected for this requirement. > > Best regards, > > Jun, Cybertrust Japan > > 2026年1月24日土曜日 5:48:22 UTC+9 Ryan Dickson: > >> Hi everyone, >> >> Following the set of updates made to the CCADB Policy >> <https://www.ccadb.org/policy> last June >> <https://groups.google.com/a/ccadb.org/g/public/c/J8aVHEWrMYs/m/bFM2shcrBgAJ>, >> the CCADB Steering Committee has collaborated on a set of updates to >> further clarify Root Store Operator expectations related to CCADB >> disclosures. >> >> Updates are also planned for the CCADB Incident Reporting Guidelines >> <https://www.ccadb.org/cas/incident-report> (IRGs). >> >> The set of proposed updates is available here >> <https://github.com/mozilla/www.ccadb.org/pull/214> (“clean” policy >> <https://github.com/mozilla/www.ccadb.org/blob/policy_2-1/policy.md> / >> IRG >> <https://github.com/mozilla/www.ccadb.org/blob/policy_2-1/cas/incident-report.md> >> ). >> >> Change summary: >> >> Policy >> >> - >> >> Clarify expectations for subordinate CA ownership disclosure. >> - >> >> Effective September 15, 2026, require additional disclosures within >> PKI policy documents to more clearly establish the scope and applicability >> of policy documents. >> - >> >> Clarify audit expectations for CAs serving time-stamping use cases. >> - >> >> Clarify expectations related to explanatory letter disclosures for >> delayed audit statements. >> - >> >> Encourage Qualified Auditors to review public incident reports and >> offer an opinion on incident handling and remediation. >> - >> >> For audit periods beginning on or after January 15, 2027, audit >> statements must disclose sampling methodologies. >> - >> >> Clarify CRL disclosure expectations. Specifically, this policy update >> considers a new field (i.e., "All Full CRL URIs for This Hierarchy") being >> added to the CCADB that will expect a a properly formatted JSON array for >> the complete set of distinct HTTP URLs appearing in the >> `crlDistributionPoints` extension of the unexpired certificates issued by >> that CA. CA Owners can expect separate standard CCADB Enhancement Request >> communications regarding the deployment of this field, which will occur >> before the updated policy becomes effective. >> >> >> IRGs >> >> - >> >> Clarify that audit findings must be the subject of an incident report. >> - >> >> Describe how Qualified Auditors can be involved in the incident >> reporting process. >> - >> >> Highlight that CA Owners should request a nextUpdate date >> “whiteboard” label to align with the soonest Action Item. >> - >> >> Highlight how CA Owners may add additional data fields to incident >> report appendices. >> >> >> >> These proposals should not be considered “final”, but instead a “work >> in-progress” that we hope to enhance through community contributions. We >> welcome community feedback on these proposed updates and recommendations >> by March 1, 2026. Please share your thoughts by replying to this email >> or, preferably, by suggesting edits directly on GitHub. >> >> Thank you, >> >> Ryan (on behalf of the CCADB Steering Committee) >> >> -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/ccadb.org/d/msgid/public/3554b2aa-95c9-4f45-88d7-4555ca3b06dfn%40ccadb.org > <https://groups.google.com/a/ccadb.org/d/msgid/public/3554b2aa-95c9-4f45-88d7-4555ca3b06dfn%40ccadb.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mDpZTmnhsqy_TVzYUMHGoBxWkSU2cMW1qWKeRM3jdKVyA%40mail.gmail.com.
