Hi Wendy,
The scope of each self-assessment is intended to represent the set of CAs
operating under the same policies (i.e., the same CP/CPS combination, or a
combined CP/CPS document).
To elaborate and illustrate, if we assume the following scenario:
- Root “ABC”:
- Operates under CP #1
- Operates under CPS #1
- Subordinate CAs “123" and “456”:
- Operate under CP #1
- Operate under CPS #2
- Subordinate CA “789”:
- Operates under CP #1
- Operates under CPS #3
We would expect:
-
Self-Assessment #1:
-
Policies Considered: CP #1, CPS #1
-
CAs in scope: “ABC”
-
CAs *not* in scope (i.e., covered under another assessment): “123”,
“456”, “789”
-
Self-Assessment #2:
-
Policies Considered: CP #1, CPS #2
-
CAs in scope: “123”, “456”
-
CAs *not* in scope (i.e., covered under another assessment): “ABC",
“789”
-
Self-Assessment #3:
-
Policies Considered: CP #1, CPS #3
-
CAs in scope: “789”
-
CAs *not* in scope (i.e., covered under another assessment): “ABC",
“123", “456”
The “(s)” in “operating under both the same CP and CPS(s)” is intended to
describe scenarios where a single CA is operated under multiple CPS
documents. For example some CAs operate under a CPS and a Trust Service
Practice Statement (which today does not have a separate designation in the
CCADB and is sometimes identified as a CPS document type).
I hope this helps.
Thanks
-Chris
On Wed, Oct 11, 2023 at 10:33 AM Wendy Brown - QT3LB-C <[email protected]>
wrote:
> A question about the following statement:
>
> If an annual CCADB self-assessment is required by the individual Store
> policy, a single self-assessment may cover multiple CAs operating under
> both the same CP and CPS(s), or combined CP/CPS. CAs not operated under the
> same CP and CPS(s) or combined CP/CPS must be covered in a separate
> self-assessment.
>
> Can a single self-assessment be used if all CAs operate under the same CP,
> but there are different CPS documents for the Root CA vs the Subordinate
> CAs since they issue different types of certificates, (ie the Root only
> issues CA certs and required infrastructure certificates, while the
> Subordinate CAs issue TLS subscriber certificates and any required
> infrastructure certificates so the practices might be different from the
> Root)
>
> I can't quite tell if that is what is meant by including the (s) after CPS.
>
> thanks,
>
> Wendy
>
>
> Wendy Brown
>
> Supporting GSA
>
> FPKIMA Technical Liaison
>
> Protiviti Government Services
> 703-965-2990 <(703)%20965-2990> (cell)
>
>
> On Wed, Oct 11, 2023 at 9:49 AM 'Chris Clements' via CCADB Public <
> [email protected]> wrote:
>
>> TL;DR: The CCADB Steering Committee will soon update the CCADB policy to
>> Version
>> 1.3.0 <https://github.com/mozilla/www.ccadb.org/pull/138/files> [1],
>> which consolidates several requirements that currently exist in separate
>> Root Store policies. The CCADB Steering Committee provides this pre-release
>> draft and requests that any concerns be expressed by the CA community before
>> October 25, 2023.
>>
>> All,
>>
>> The CCADB policy <https://www.ccadb.org/policy> [2] will soon be updated
>> to Version 1.3.0 [1]. This update collects some currently disparate
>> requirements from Root Store policies and adds them to the CCADB policy.
>> Some Root Stores may update their individual policies in the future to
>> remove duplicative requirements.
>>
>> In general, this update:
>>
>>
>> 1.
>>
>> adds clarifying language to “Section 5. Policies, Audits, and
>> Practices”;
>> 2.
>>
>> states CA Owners must disclose at least an authoritative English
>> version of policy documents to the CCADB;
>> 3.
>>
>> adds Audit Team Qualifications that are provided to the CCADB; and
>> 4.
>>
>> (if required by a Root Store policy) defines the submission
>> requirements for the CCADB Self-Assessment.
>>
>>
>> The specific changes can be viewed in this PR [1]. This update does not
>> intend to create any new requirements for CA Owners included in the CCADB,
>> rather it intends to combine some existing requirements into a single
>> source to simplify compliance activities.
>>
>> The Steering Committee intends for this version of the policy to become
>> effective on October 25, 2023, and we plan to announce the release with a
>> separate communication. We appreciate considerations from the CA community,
>> either in the PR or directly in this thread before October 25, 2023.
>>
>> Thank you,
>>
>> -Chris, on behalf of the CCADB Steering Committee
>>
>> [1] https://github.com/mozilla/www.ccadb.org/pull/138/files
>>
>> [2] https://www.ccadb.org/policy
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CCADB Public" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCpXwWVG-fJ5xd%3D_Qn5RCTibgy63PBfGs9VVYpATf6t6A%40mail.gmail.com
>> <https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCpXwWVG-fJ5xd%3D_Qn5RCTibgy63PBfGs9VVYpATf6t6A%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mAOzUk6eArXnpq-A6YMr%3DjxYeUq-2%2B1y9XKDyP2%3DP_GMw%40mail.gmail.com.
