Open Bug 1945913 Opened 15 days ago

Add Case Type: Root or Trust Bit Removal

Categories

(CA Program :: Common CA Database, enhancement)

enhancement

Tracking

(Not tracked)

People

(Reporter: bwilson, Unassigned)

Details

The CCADB has case types for "Add/Update Root Requests" and "Root Inclusions". A similar case type should be added "Root and Trust Bit Removals", which will facilitate structured tracking and documentation of CA root removals.

Rationale & Benefits:

  • Improved Record-Keeping & Transparency – The removal of a root certificate or specific trust bits is a key decision that should be documented and tracked systematically in CCADB. Having a dedicated case type ensures:
    • Consistency in recording trust removals across different root programs.
    • A historical reference for why a CA or specific trust bit was removed.
    • Better alignment with how inclusions and updates are tracked.
  • Enhanced Workflow Management – Adding this case type allows CCADB users (Root Store Operators, CAs, and auditors) to:

    • Submit and track root removals in the same structured manner as inclusions.
    • Categorize removals separately from updates
    • Support coordination between multiple root programs when removals affect multiple browsers.
  • Regulatory & Compliance Support – Documenting removals in a structured way:

    • Helps align with governance and compliance reporting (e.g., NIS2, WebTrust audits, CA/B Forum requirements).
    • Ensures affected parties (CAs, relying parties, and compliance auditors) can easily track and verify removals.
  • Support for Partial Removals (Trust Bits vs. Full Removal) –

    • Some removals affect only specific trust bits (e.g., removing email trust but retaining TLS).
    • This case type should allow Root Programs to specify if the request is a full root removal or a trust-bit removal.

Suggested Implementation Considerations:

  • New Case Type: Add "Root and Trust Bit Removals" as a distinct category.
  • Data Fields: Capture details such as:
    • Root Certificate Subject Name
    • SHA-256 Fingerprint
    • Requested Removal Date
    • Type of Removal (Full Root vs. Specific Trust Bits)
    • Reason for Removal (Non-compliance, Cessation of Operations, etc.)
    • Supporting Documentation (Public announcement, compliance concerns, etc.)
    • Integration with Root Store Policies: Ensure this aligns with Mozilla, Chrome, Apple, and Microsoft removal policies.

Next Steps:

  • Discuss the feasibility of this enhancement within the CCADB Steering Committee.
  • Gather input from Root Store Operators on any additional fields or requirements.
  • Implement in a staged manner, ensuring compatibility with existing CCADB workflows.
You need to log in before you can comment on or make changes to this bug.