I have been working towards extending Audit Letter Validation (ALV) to
intermediate certificate records in the CCADB. This is involving some
changes.
I added a field to intermediate cert records called 'Subordinate CA
Owner', with help text: "If this certificate does not have the same
audit statements as its parent certificate, then enter the name of the
subordinate CA as it appears in its audit statements."
I will appreciate input on how to make that more clear.
I believe there is now a trigger that will require this field to be
filled in when audit statements are added or updated in an intermediate
cert record.
I also plan to add a CA task list item to CAs home page called:
"Provide ‘Subordinate CA Owner’ and ‘Auditor’ for Intermediate Certs
with their own Audit Statements"
with Instructions: "When an intermediate certificate record in the CCADB
corresponds to a certificate that has different audit statements than
the parent record in the CCADB, then fill in the ‘Subordinate CA Owner’
field to enter the name of the CA as it appears in its audit statements.
Also fill in the Auditor name as it appears in the audit statements."
Again, I'm open to suggestions about how to make this more clear.
Regarding these reports
https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAudits
https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAuditsCSV
I plan to add a "Subordinate CA Owner" column, and change the name of
the current "CA Owner" column to "Parent CA Owner".
There is now a "Derived Trust Bits" field in the "Certificate Data
[Fields NOT editable; extracted from PEM]" section. This is used to
determine which audit statements the intermediate cert needs (e.g. if
ServerAuth, then need BR audit)
Very high level logic: If the cert has EKU in it, then that will be
used. Otherwise see which root store it's parent root cert is in. If in
both Mozilla and Microsoft then create union of the trust bits that the
parent/root cert is trusted for.
When "Audits Same as Parent" is checked, CCADB will look up the parent
chain until audit statements are found. When "Audits Same as Parent" is
not checked, then CCADB will just pass the audit statements in the
intermediate cert record into Audit Letter Validation (ALV).
There are some ALV status/results fields and a 'Date ALV Processed'
field that are currently only visible to root store operators, as we
continue to test/debug. I hope to make these fields visible to CAs soon.
Of course, eventually (after things are working enough) I plan to
provide public-facing reports with the information.
We are working on a process that will run nightly to update ALV results
on intermediate cert records when new audit statements are provided.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
