All, The CCADB update to enhance the Derived Trust Bit (DTB) and Extended Validation (EV) logic and add transitive trust status for intermediate certificate records is now complete. CA Owner access to the CCADB has been restored.
This update: - Adds new auto-populated fields for root and intermediate certificates and enhance the logic for determining DTBs and EV-enablement. [1815933 <https://bugzilla.mozilla.org/show_bug.cgi?id=1815933>] - Better informs CA Owners of missing audit reports or unintended EV treatment (via updated logic) for their certificates in the CA Task List reports. - Enhances Audit Letter Validation (ALV) by sending `Trust Bits for Root Cert & DTBs` from the CCADB to ALV for root certificates. The additional values sent will be visible to CA Owners in the ‘Add/Update Root Request’ Case UI in a new column called `Additional DTBs` on the AUDITS tab. - Better aligns the CCADB trust bits and EV enablement with the trust properties conveyed by crt.sh. - Improves the determination and communication of Root Store trust status for all intermediate certificate records and certificates sharing the same Subject+SPKI, displaying trust information (e.g., `Trusted` or `Not Trusted`) for each Root Store, while considering program-specific evaluations. [1967751 <https://bugzilla.mozilla.org/show_bug.cgi?id=1967751>] - Changes the "Certificate Data [Fields NOT editable; extracted from PEM]" page layout header to two distinct headers to better differentiate certificate PEM data from CCADB-generated data. - Updates the AllCertificateRecordsCSVFormatv2 report to add two new fields to the end of the file: `Trust Bits for Root Cert` and `EV OIDs for Root Cert`. - Deprecates `Code` (i.e., code signing) from the Mozilla set of Trust Bits because it is no longer processed by Mozilla. - Adds more EKU OID mappings to the CCADB. [1796686 <https://bugzilla.mozilla.org/show_bug.cgi?id=1796686>] The AUDITS <https://docs.google.com/document/d/12U4az-hjYDC_aWsVn8-Y5vVmJ10inVziAxrQoxP-hfI/edit?tab=t.0#heading=h.5p0busri34os> user guide, Understanding AllCertificateRecordsReport.csv <https://docs.google.com/document/d/1S3u0-_YACA7m-3LPpjE-t4WCh2cww_SQFh2C9DJeXHA/edit?tab=t.0> document, and several pages on ccadb.org will be updated to reflect the changes from this enhancement in more detail. Please continue to contact CCADB Support ([email protected]) with any questions regarding the CCADB. Thank you -Chris, on behalf of the CCADB Steering Committee On Fri, May 23, 2025 at 10:17 AM Chris Clements <[email protected]> wrote: > All, > > > On May 29, 2025, the CCADB will be updated, introducing changes to the > Derived Trust Bit (DTB) and Extended Validation (EV) logic and adding > transitive trust status for intermediate certificate records. > > > The CCADB will be unavailable to CA Owners from May 29, 2025, at > approximately 08:00PM PDT, until May 30, 2025, at approximately 08:00PM PDT. > > > The new functionality should: > > > - Add new auto-populated fields for root and intermediate certificates > and enhance the logic for determining DTBs and EV-enablement. [1815933 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1815933>] > - Better inform CA Owners of missing audit reports or unintended EV > treatment (via updated logic) for their certificates in the CA Task List > reports. > - Enhance Audit Letter Validation (ALV) by sending `Trust Bits for > Root Cert & DTBs` from the CCADB to ALV for root certificates. The > additional values sent will be visible to CA Owners in the ‘Add/Update Root > Request’ Case UI in a new column called `Additional DTBs` on the AUDITS > tab. > - Better align the CCADB trust bits and EV enablement with the trust > properties conveyed by crt.sh. > - Improve the determination and communication of Root Store trust > status for all intermediate certificate records and certificates sharing > the same Subject+SPKI, displaying trust information (e.g., `Trusted` or > `Not Trusted`) for each Root Store, while considering program-specific > evaluations. [1967751 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1967751>] > - Change the "Certificate Data [Fields NOT editable; extracted from > PEM]" page layout header to two distinct headers to better differentiate > certificate PEM data from CCADB-generated data. > - Update the AllCertificateRecordsCSVFormatv2 report to add two new > fields to the end of the file: `Trust Bits for Root Cert` and `EV OIDs for > Root Cert`. > - Deprecate `Code` (i.e., code signing) from the Mozilla set of Trust > Bits because it is no longer processed by Mozilla. > - Add more EKU OID mappings to the CCADB. [1796686 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1796686>] > > The AUDITS > <https://docs.google.com/document/d/12U4az-hjYDC_aWsVn8-Y5vVmJ10inVziAxrQoxP-hfI/edit?tab=t.0#heading=h.5p0busri34os> > user guide, Understanding AllCertificateRecordsReport.csv > <https://docs.google.com/document/d/1S3u0-_YACA7m-3LPpjE-t4WCh2cww_SQFh2C9DJeXHA/edit?tab=t.0> > document, and several pages on ccadb.org will be updated to reflect the > changes from this enhancement in more detail. > > > Notifications regarding the start and completion of this release will be > sent by the CCADB to all participating CA Owners next week. We also plan to > provide an update here next week at the release's conclusion. > > > Thank you > > -Chris, on behalf of the CCADB Steering Committee > > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mDdx8vZZ8wJYXEebnXDMGZ%3DtuVLV-CQipz_7e-N6Ats%3DA%40mail.gmail.com.
