Hi Andrew, - I agree that the intent would be clearer if we used “if and only if.” We'll take that into consideration as a Steering Committee. The only issue I see is where the name in an audit letter might be different due to some issue with the organizational structure of the CA Owner or due to a recent merger or acquisition. (But maybe that issue works itself out in practice when records are updated in the CCADB.) Otherwise, in nearly all cases, the field should be left blank "if and only if" both the private key control and domain/IP/email validation are handled by the same organization identified in the audit (i.e. the owner/operator of the root CA). In other words, I generally agree that we should make that suggested language change. -
The Google Document itself isn’t formally part of the CCADB Policy. However, your observation is correct — if we want CAs to be bound by this requirement, it should be incorporated into the Policy itself. The CCADB Steering Committee can take up a change proposal to add this language to the CCADB Policy, ensuring that the expectation is enforceable and not just guidance. - At present, there is no automated enforcement of whether the “Subordinate CA Owner” field is populated correctly. (ALV does not have that kind of capability.) However, to start, there are existing CCADB administrative reports we use that can be adapted and run to cross-check consistency. For example, they might compare whether “Audit Same as Parent” is checked and whether the “Subordinate CA Owner” field has been populated or left blank. Such reports could help flag inconsistencies. I'll take a look at modifying one of our existing reports and running it. Then I can post the results in this thread. - Thanks for your input. Ben On Thu, Sep 25, 2025 at 7:50 AM Andrew Ayer <[email protected]> wrote: > According to > https://docs.google.com/document/d/1S3u0-_YACA7m-3LPpjE-t4WCh2cww_SQFh2C9DJeXHA/edit?tab=t.0 > the "Subordinate CA Owner" field means: > > "This is the Subordinate CA's name as it appears in the provided audit > statements. CA Owners are to leave it blank if BOTH control of the private > key AND domain/IP/email validation activities are performed by the > organization listed in the audit statement of the parent certificate." > > First, "if" should be "if and only if". Otherwise, a CA is free to leave > it blank even if a different organization controls the private key, which I > don't think is the intent. > > Second, is this Google Doc considered part of the CCADB Policy? If not, > the above passage should be added to the CCADB Policy so that CAs are > actually required to follow it. > > Finally, is there any automated enforcement (e.g. Audit Letter Validation) > to ensure that CAs are populating this field (or leaving it blank) > correctly? > > Regards, > Andrew > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/ccadb.org/d/msgid/public/20250925095032.42b5662fb13914039c8b3df3%40andrewayer.name > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtabQwXS%3D%3De6FgAQZhEMUvCkw6KtGJoYfre7s39KwOGmgDw%40mail.gmail.com.
