Hi Wendy,
The scope of each self-assessment is intended to represent the set of CAs
operating under the same policies (i.e., the same CP/CPS combination, or a
combined CP/CPS document).
To elaborate and illustrate, if we assume the following scenario:
- Root “ABC”:
- Operates under CP #1
- Operates under CPS #1
- Subordinate CAs “123" and “456”:
- Operate under CP #1
- Operate under CPS #2
- Subordinate CA “789”:
- Operates under CP #1
- Operates under CPS #3
We would expect:
-
Self-Assessment #1:
-
Policies Considered: CP #1, CPS #1
-
CAs in scope: “ABC”
-
CAs *not* in scope (i.e., covered under another assessment): “123”,
“456”, “789”
-
Self-Assessment #2:
-
Policies Considered: CP #1, CPS #2
-
CAs in scope: “123”, “456”
-
CAs *not* in scope (i.e., covered under another assessment): “ABC",
“789”
-
Self-Assessment #3:
-
Policies Considered: CP #1, CPS #3
-
CAs in scope: “789”
-
CAs *not* in scope (i.e., covered under another assessment): “ABC",
“123", “456”
The “(s)” in “operating under both the same CP and CPS(s)” is intended to
describe scenarios where a single CA is operated under multiple CPS
documents. For example some CAs operate under a CPS and a Trust Service
Practice Statement (which today does not have a separate designation in the
CCADB and is sometimes identified as a CPS document type).
I hope this helps.
Thanks
-Chris
On Wed, Oct 11, 2023 at 10:33 AM Wendy Brown - QT3LB-C <wendy.br...@gsa.gov>
wrote:
> A question about the following statement:
>
> If an annual CCADB self-assessment is required by the individual Store
> policy, a single self-assessment may cover multiple CAs operating under
> both the same CP and CPS(s), or combined CP/CPS. CAs not operated under the
> same CP and CPS(s) or combined CP/CPS must be covered in a separate
> self-assessment.
>
> Can a single self-assessment be used if all CAs operate under the same CP,
> but there are different CPS documents for the Root CA vs the Subordinate
> CAs since they issue different types of certificates, (ie the Root only
> issues CA certs and required infrastructure certificates, while the
> Subordinate CAs issue TLS subscriber certificates and any required
> infrastructure certificates so the practices might be different from the
> Root)
>
> I can't quite tell if that is what is meant by including the (s) after CPS.
>
> thanks,
>
> Wendy
>
>
> Wendy Brown
>
> Supporting GSA
>
> FPKIMA Technical Liaison
>
> Protiviti Government Services
> 703-965-2990 <(703)%20965-2990> (cell)
>
>
> On Wed, Oct 11, 2023 at 9:49 AM 'Chris Clements' via CCADB Public <
> public@ccadb.org> wrote:
>
>> TL;DR: The CCADB Steering Committee will soon update the CCADB policy to
>> Version
>> 1.3.0 <https://github.com/mozilla/www.ccadb.org/pull/138/files> [1],
>> which consolidates several requirements that currently exist in separate
>> Root Store policies. The CCADB Steering Committee provides this pre-release
>> draft and requests that any concerns be expressed by the CA community before
>> October 25, 2023.
>>
>> All,
>>
>> The CCADB policy <https://www.ccadb.org/policy> [2] will soon be updated
>> to Version 1.3.0 [1]. This update collects some currently disparate
>> requirements from Root Store policies and adds them to the CCADB policy.
>> Some Root Stores may update their individual policies in the future to
>> remove duplicative requirements.
>>
>> In general, this update:
>>
>>
>> 1.
>>
>> adds clarifying language to “Section 5. Policies, Audits, and
>> Practices”;
>> 2.
>>
>> states CA Owners must disclose at least an authoritative English
>> version of policy documents to the CCADB;
>> 3.
>>
>> adds Audit Team Qualifications that are provided to the CCADB; and
>> 4.
>>
>> (if required by a Root Store policy) defines the submission
>> requirements for the CCADB Self-Assessment.
>>
>>
>> The specific changes can be viewed in this PR [1]. This update does not
>> intend to create any new requirements for CA Owners included in the CCADB,
>> rather it intends to combine some existing requirements into a single
>> source to simplify compliance activities.
>>
>> The Steering Committee intends for this version of the policy to become
>> effective on October 25, 2023, and we plan to announce the release with a
>> separate communication. We appreciate considerations from the CA community,
>> either in the PR or directly in this thread before October 25, 2023.
>>
>> Thank you,
>>
>> -Chris, on behalf of the CCADB Steering Committee
>>
>> [1] https://github.com/mozilla/www.ccadb.org/pull/138/files
>>
>> [2] https://www.ccadb.org/policy
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CCADB Public" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to public+unsubscr...@ccadb.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCpXwWVG-fJ5xd%3D_Qn5RCTibgy63PBfGs9VVYpATf6t6A%40mail.gmail.com
>> <https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mCpXwWVG-fJ5xd%3D_Qn5RCTibgy63PBfGs9VVYpATf6t6A%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to public+unsubscr...@ccadb.org.
To view this discussion on the web visit
https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mAOzUk6eArXnpq-A6YMr%3DjxYeUq-2%2B1y9XKDyP2%3DP_GMw%40mail.gmail.com.
