Open
Bug 1945913
Opened 15 days ago
Add Case Type: Root or Trust Bit Removal
Categories
(CA Program :: Common CA Database, enhancement)
CA Program
Common CA Database
Tracking
(Not tracked)
NEW
People
(Reporter: bwilson, Unassigned)
Details
The CCADB has case types for "Add/Update Root Requests" and "Root Inclusions". A similar case type should be added "Root and Trust Bit Removals", which will facilitate structured tracking and documentation of CA root removals.
Rationale & Benefits:
- Improved Record-Keeping & Transparency – The removal of a root certificate or specific trust bits is a key decision that should be documented and tracked systematically in CCADB. Having a dedicated case type ensures:
- Consistency in recording trust removals across different root programs.
- A historical reference for why a CA or specific trust bit was removed.
- Better alignment with how inclusions and updates are tracked.
-
Enhanced Workflow Management – Adding this case type allows CCADB users (Root Store Operators, CAs, and auditors) to:
- Submit and track root removals in the same structured manner as inclusions.
- Categorize removals separately from updates
- Support coordination between multiple root programs when removals affect multiple browsers.
-
Regulatory & Compliance Support – Documenting removals in a structured way:
- Helps align with governance and compliance reporting (e.g., NIS2, WebTrust audits, CA/B Forum requirements).
- Ensures affected parties (CAs, relying parties, and compliance auditors) can easily track and verify removals.
-
Support for Partial Removals (Trust Bits vs. Full Removal) –
- Some removals affect only specific trust bits (e.g., removing email trust but retaining TLS).
- This case type should allow Root Programs to specify if the request is a full root removal or a trust-bit removal.
Suggested Implementation Considerations:
- New Case Type: Add "Root and Trust Bit Removals" as a distinct category.
- Data Fields: Capture details such as:
- Root Certificate Subject Name
- SHA-256 Fingerprint
- Requested Removal Date
- Type of Removal (Full Root vs. Specific Trust Bits)
- Reason for Removal (Non-compliance, Cessation of Operations, etc.)
- Supporting Documentation (Public announcement, compliance concerns, etc.)
- Integration with Root Store Policies: Ensure this aligns with Mozilla, Chrome, Apple, and Microsoft removal policies.
Next Steps:
- Discuss the feasibility of this enhancement within the CCADB Steering Committee.
- Gather input from Root Store Operators on any additional fields or requirements.
- Implement in a staged manner, ensuring compatibility with existing CCADB workflows.
You need to log in
before you can comment on or make changes to this bug.
Description
•