In the context of the TLS and S/MIME Baseline Requirements, the cPSuri is not required to point to the specific document(s) which govern the certificate in which it may be found. The requirement is only that the cPSuri contain a "HTTP or HTTPS URL for the Issuing CA's Certificate Policies, Certification Practice Statement, Relying Party Agreement, or other pointer to online policy information provided by the Issuing CA”.
As far as I understand, CA/B Forum Guideline documents don’t require CAs to maintain availability of CPs/CPSes which are not currently authoritative for the issuance of new certificates. Root Programs do require maintenance of such an archive [1] and the CCADB’s (alongside incorporating Root Program Policies') requirement for disclosure of all CPs/CPSes [2] effectively creates a secondary, consistently structured source of this archive. In theory (and often in practice), the cPSuri should at minimum point to a repository containing the archive of active and historical (but still authoritative) CPs/CPSes, but it may be a substantial amount of effort to identify the document(s) governing any given leaf certificate. Part of the intent with the CCADB storing the effective date, and superseded date in the future, is to make it a little bit easier for relying and interested parties to find and validate that information — hopefully improving the overall situation your (not naive, imo) question highlights. It’s also worth pointing out that including the cPSuri is not recommended and generally provides very little practical value. That could be changed and improved, but given the current direction of managing CAs and their policies at scale, I suspect such efforts may not be exceptionally fruitful. Cheers, -Clint [1] - https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#33-cps-and-cpses [2] - https://www.ccadb.org/policy#5-policies-audits-and-practices > On Sep 5, 2024, at 12:45 PM, Mike Shaver <mike.sha...@gmail.com> wrote: > > On Thu, Sep 5, 2024 at 3:23 PM 'Chris Clements' via CCADB Public > <public@ccadb.org <mailto:public@ccadb.org>> wrote: >> Currently, we see some CA Owners using a URL with a specific version of the >> document and others using a URL that points to where the latest version of >> the document can be found. Both are acceptable. The POLICY DOCUMENTS guide >> <https://docs.google.com/document/d/1qAVihgbo7TuH3xqq2zbxhxHajQnJwbHUGEFf2VjxoZQ/edit#bookmark=id.gqczpewy5797> >> states: "If the link to your CA’s most current policy document remains >> constant, then you can simply edit the document object to update the date, >> add policy identifiers, update comments, and update the list of applicable >> root certificates." > > Naive question: if a policy document can change without the URL changing, how > does one find the policy under which a given certificate was issued? Doesn't > cpsUri have to point to the policy that governed the issuance of the > certificate? > > Mike > > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to public+unsubscr...@ccadb.org <mailto:public+unsubscr...@ccadb.org>. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZquKwxKpJDfii7_ixs_zpZRqho9iuBp5-r9s_pgbLU9H2w%40mail.gmail.com > > <https://groups.google.com/a/ccadb.org/d/msgid/public/CADQzZquKwxKpJDfii7_ixs_zpZRqho9iuBp5-r9s_pgbLU9H2w%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to public+unsubscr...@ccadb.org. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/9C03D8B5-C6E1-4AA6-9BFF-471E33E4D119%40apple.com.
smime.p7s
Description: S/MIME cryptographic signature