All, The CCADB Steering Committee has published CCADB Policy version 2.1, effective March 20, 2026, which is now available at: https://www.ccadb.org/policy
This update introduces several clarifications and enhancements to existing expectations, including: - Clarification of expectations for subordinate CA ownership disclosure. - A new requirement, effective September 15, 2026, for additional disclosures within PKI policy documents to more clearly establish their scope and applicability. - Clarified audit expectations for CAs supporting time-stamping use cases. - Clarification of expectations related to explanatory letter disclosures when audit statements are delayed. - Encouragement for Qualified Auditors to review publicly disclosed incident reports and provide an opinion on incident handling and remediation. - Clarified CRL disclosure expectations, including the introduction of a new CCADB field, “All Full CRL URIs.” This field will require a properly formatted JSON array containing the complete set of distinct HTTP URLs appearing in the crlDistributionPoints extension of unexpired certificates issued by the CA. This requirement applies even when only a single full CRL is used. CCADB participants are encouraged to review the updated policy in full and assess any necessary updates to their practices and disclosures. If you have any questions or feedback, please raise them through the appropriate CCADB support or CCADB public discussion channels. Regards, Ben Wilson CCADB Steering Committee -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaYTzReRTuP7m5fuP6en8DiOJ2Jjev-dQZa4MZPQ-GyR_g%40mail.gmail.com.
