CCADB Policy: Require audit statements to be text-searchable PDF

[WilsonKathleen]

Consider updating Section 5.1 of the CCADB Policy (https://www.ccadb.org/policy) to require that audit statements be text-searchable PDF documents.

Currently this is under discussion in the CA/Browser Forum as part of the "Browser Alignment" ballot (sleevi/cabforum-docs#10). That proposal is to add the following text to section 8.6 of the BRs:
“The Audit Report MUST be available as a PDF, and SHALL be text searchable for all information required.”

We should also consider adding this requirement directly to the CCADB Policy, because there are CAs with included root certs that do not have the Websites (TLS) trust bit enabled.

[benwilsonusa]

Section 8.6 of version 1.7.1 of the Baseline Requirements now includes, "The Audit Report MUST be available as a PDF, and SHALL be text searchable for all information required."

[WilsonKathleen]

Note that this change is specific to the CCADB Policy (https://www.ccadb.org/policy), which currently says:
"SHOULD: be encoded in the document (PDF) as select-able text, not an image"

I can make the change, but we should check with the other root store members first, since we all have CAs in our programs that do not have the Server Auth trust bit enabled (so the BRs don't apply to them).

[BenWilson-Mozilla]

Also, besides the CCADB policy, the first sentence in section 3.1.4 of the Mozilla Root Store Policy could be amended to say, "The publicly-available documentation relating to each audit MUST be available as a PDF, text-searchable, and contain at least the following clearly-labelled information: ..."
Also, we could add a final sentence to that section 3.1.4 to indicate that "supplied by the Auditor" means it needs to be retrievable from the auditor's website or CPA Canada (for WebTrust seals) -- this is a check already performed by the CCADB's ALV process when it checks the "AuditLocation".