Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)
Hello again Rob, "ISRG Root X1" is listed as "Unconstrained id-kp-serverAuth Trust: Disclosure is required!" I believe this root is now (or shortly will be) trusted directly by NSS, and so isn't an intermediate and shouldn't appear on the list. Before it was added to NSS, it simply wasn't trusted at all, although it is seen in some CT logs. So I think under either circumstance it shouldn't be listed as "disclosure is required". ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)
On 09/08/16 00:16, Kathleen Wilson wrote: It seems to me that as long as a revoked intermediate certificate has been disclosed (i.e. in Salesforce) that the certificates that it signed do not need to be disclosed. I've just changed "Probably!" to "Unknown" (for the "Unconstrained, but all unexpired observed paths Revoked" group on https://crt.sh/mozilla-disclosures). "Unknown" is appropriate because crt.sh cannot know whether or not it has observed all of the paths that exist. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)
On 08/08/16 10:25, Rob Stradling wrote: Nick, Peter, I looked at https://crt.sh/mozilla-disclosures immediately after the Symantec cross-cert expired, and I was surprised to see no change. I was on holiday all last week, so I'm only just investigating it properly now. I suspect crt.sh is getting confused by the combination of the expired Symantec cross-cert and the revoked Identrust cross-cert. If they'd both expired or both been revoked, I suspect this (presumed) bug would not have been discovered. I'm going to try changing "Unconstrained, but all observed paths Revoked" to "Unconstrained, but all unexpired observed paths Revoked" Bug fixed. All of the FPKI intermediates now show up in this group: https://crt.sh/mozilla-disclosures#trustrevoked Note that crt.sh says "Disclosure is probably required!" for this group, as per Richard's suggestion to "err on the side of disclosing subordinates under a revoked certificate, with exceptions..." [1]. Richard did say he'd "be willing to make an exception for this specific case, since the Federal Bridge is a known issue" [2]. Kathleen, Would it be possible to add a field (to Salesforce and to https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsRevokedCSVFormat) so that crt.sh can track these exceptions? [1] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg03468.html [2] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg03476.html -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)
On 02/08/16 14:46, Peter Bowen wrote: On Tue, Aug 2, 2016 at 5:11 AM, Nick Lambwrote: Rob, today I examined https://crt.sh/mozilla-disclosures because I was interested to see if the now expired signature from Symantec's "VeriSign Class 3 SSP Intermediate CA - G2" of "Federal Bridge CA 2013" had the expected effect. I understand that traversing a network with known and potentially unknown loops in it is tricky to do correctly, so I am not sure whether the fact that a large number of "US Government" CAs are still listed as Unconstrained id-kp-serverAuth Trust reflects a problem with that traversal or a real, previously undetected trust relationship that I wasn't able to spot by eye. Nick, I believe this to be a bug in crt.sh. I have a local copy of all the cross-certificates and the US Federal PKI and subordinate CAs from there do not appear in the current trust graph. Thanks, Peter Nick, Peter, I looked at https://crt.sh/mozilla-disclosures immediately after the Symantec cross-cert expired, and I was surprised to see no change. I was on holiday all last week, so I'm only just investigating it properly now. I suspect crt.sh is getting confused by the combination of the expired Symantec cross-cert and the revoked Identrust cross-cert. If they'd both expired or both been revoked, I suspect this (presumed) bug would not have been discovered. I'm going to try changing "Unconstrained, but all observed paths Revoked" to "Unconstrained, but all unexpired observed paths Revoked" -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)
On 27/06/16 23:56, Kathleen Wilson wrote: I understand that many of you are working to get your intermediate certificate data entered by the end of June, so I will grant a reprieve of a few days for those of you who are impacted by the system being down tomorrow. Also, I had to postpone some of the mass importing of intermediate certificate data, and will resume that when I return from vacation. So, please understand that our target date of having the intermediate cert data entered by June 30 will be delayed a bit longer. Another friendly reminder to all CA representatives: Mozilla's March 2016 CA Communication [1] required you to enter the following details into the CA Community in Salesforce... - "the full PEM data" - "CP/CPS and audit statements" ...for "every intermediate certificate that directly or transitively chains to your included root certificates, provided that the root certificate is enabled with the Websites trust bit and the intermediate certificate is not Technically Constrained". You indicated [2] that you were aware of this requirement and that you planned to comply by 30th June 2016 (except for: "Government of Japan, Ministry of Internal Affairs and Communications", who plan to respond by 31th March 2017; and HARICA, who plan to respond by 5th June 2018). An astonishing 45% of the applicable intermediate certificates that are known to the Certificate Transparency logs have not yet been fully disclosed in Salesforce!! I'd like to encourage you ALL to review the crt.sh report [3] and to check your own records for any other intermediate certificates (that are not yet known to CT) that you need to disclose. Also, please note that I've just split out 2 new groups [3] from the "Disclosed" group: - "Disclosure Incomplete": Intermediate certificates for which "the full PEM data" has been provided but either/both of the "CP/CPS and audit statements" have not been provided. - "Disclosed, but with Errors": The necessary data has been provided, but Salesforce shows the following error message: "For intermediate certificates, Parent Certificate Name must be the certificate's Issuer Common Name or Issuer Organization. Additional characters may be added at the end of the name, but must be kept consistent within the hierarchy." The "Disclosure Incomplete", "Unconstrained id-kp-serverAuth Trust", "Unconstrained, but all observed paths Revoked", "Disclosed, but with Errors" and "Unknown to crt.sh or Incorrectly Encoded" groups all need to become empty. [1] https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o00iHdtx [2] https://mozillacaprogram.secure.force.com/Communications/CACommSummaryReport?CommunicationID=a05o00iHdtx [3] https://crt.sh/mozilla-disclosures -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Salesforce offline Tuesday, June 28, for data import
The data migration has happened, and I have reviewed the data in the production DB. We will need to do some tweaking/fixing over then next couple of weeks, but I think we're good to go. So, we will begin restoring access to the system, and I will send the "end of service outage" notice as soon as it has all been restored. Kathleen On 6/28/16 8:57 PM, Kathleen Wilson wrote: All, The signature that we were waiting for has happened, so we will continue with the data migration. The public-facing reports will not be available when the data import is happening, and until we have verified the data. Kathleen On 6/28/16 7:56 PM, Kathleen Wilson wrote: All, I apologize for the delay. We are waiting for a signature on the agreement that must be completed before we can import the Microsoft root store data into production. It is looking like we may have to wait until tomorrow morning (PDT). In the meantime, public-facing reports are working, but access to the system is very limited because we don't want any changes going into the system until we finish the data import. I will provide status updates as things progress. Kathleen On 6/28/16 8:29 AM, Kathleen Wilson wrote: The work on this data migration is starting now. The CA Community in Salesforce (a.k.a. the Common CA Database) will be offline while we do this data migration. I have kicked off the process to send an email with subject "CA Community in Salesforce - Planned Outage - Starting Now" to everyone who has a login to the CA Community in Salesforce. Kathleen On 6/27/16 3:56 PM, Kathleen Wilson wrote: All, We are planning to do the import of the data corresponding to Microsoft's root store program into the CA Community in Salesforce, with the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the work to take 8 to 10 hours. I understand that many of you are working to get your intermediate certificate data entered by the end of June, so I will grant a reprieve of a few days for those of you who are impacted by the system being down tomorrow. Also, I had to postpone some of the mass importing of intermediate certificate data, and will resume that when I return from vacation. So, please understand that our target date of having the intermediate cert data entered by June 30 will be delayed a bit longer. Jody and I are hoping to get his data imported tomorrow, so that we have a day to recover and handle any fine tuning, before I go on vacation. We decided not to wait until after my vacation, because Jody has a lot of work to do on restoring his data, hopes to do the work once (not have to repeat), and wants to get started as soon as possible. We were hoping to get this data import done much earlier, but there have been unforeseen delays. Below is the draft of the mass email that I plan to send to everyone who has access to the CA Community in Salesforce -- one message will be sent at the beginning of the data migration, and the other at the end. Please let me know if you have any feedback on this. Thanks, Kathleen == At beginning of migration day == Dear Certification Authority, Today, {!Today}, the Common CA Database (a.k.a. CA Community in Salesforce) will be offline while we import Microsoft’s root store data into the production database. During that time, the following things will happen: 1) You will not be able to login to the CA Community in Salesforce. 2) The urls to Mozilla’s public-facing reports will not work. Background on the Common CA Database may be found here: https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators I will send another email as soon as the data migration has been completed. I apologize for any inconvenience this causes. Regards, Kathleen Wilson Mozilla CA Program Manager == == At end of migration day == Dear Certification Authority, The work on the Common CA Database (a.k.a. CA Community in Salesforce) has been completed. Your access to the system and Mozilla's public-facing reports have been restored. You may notice the following: 1) Microsoft’s root store data has been imported and merged, so there are more CA Owner and Root Certificate records. 2) The “Status” field in the CA Owner and Root Certificate records has been changed to “Mozilla Status”. 3) There is a “Microsoft Fields” section in the page layout for CA Owner and Root Certificate records, and those fields can only be edited by Microsoft’s root store operator, Jody Cloutier. 4) There is a “Mozilla Fields” section in the page layout for the Root Certificate records and those fields can only be edited by Mozilla’s root store operator, Kathleen Wilson. 5) Mozilla’s public-facing reports should still only indicate information pertaining to Mozilla’s root store. Please reply to this email if you notice any issues with your CA’s data, or if you have any problems logging into the system. Regards, Kathleen Wilson Mozilla CA Program Manager == ___
Re: Salesforce offline Tuesday, June 28, for data import
All, The signature that we were waiting for has happened, so we will continue with the data migration. The public-facing reports will not be available when the data import is happening, and until we have verified the data. Kathleen On 6/28/16 7:56 PM, Kathleen Wilson wrote: All, I apologize for the delay. We are waiting for a signature on the agreement that must be completed before we can import the Microsoft root store data into production. It is looking like we may have to wait until tomorrow morning (PDT). In the meantime, public-facing reports are working, but access to the system is very limited because we don't want any changes going into the system until we finish the data import. I will provide status updates as things progress. Kathleen On 6/28/16 8:29 AM, Kathleen Wilson wrote: The work on this data migration is starting now. The CA Community in Salesforce (a.k.a. the Common CA Database) will be offline while we do this data migration. I have kicked off the process to send an email with subject "CA Community in Salesforce - Planned Outage - Starting Now" to everyone who has a login to the CA Community in Salesforce. Kathleen On 6/27/16 3:56 PM, Kathleen Wilson wrote: All, We are planning to do the import of the data corresponding to Microsoft's root store program into the CA Community in Salesforce, with the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the work to take 8 to 10 hours. I understand that many of you are working to get your intermediate certificate data entered by the end of June, so I will grant a reprieve of a few days for those of you who are impacted by the system being down tomorrow. Also, I had to postpone some of the mass importing of intermediate certificate data, and will resume that when I return from vacation. So, please understand that our target date of having the intermediate cert data entered by June 30 will be delayed a bit longer. Jody and I are hoping to get his data imported tomorrow, so that we have a day to recover and handle any fine tuning, before I go on vacation. We decided not to wait until after my vacation, because Jody has a lot of work to do on restoring his data, hopes to do the work once (not have to repeat), and wants to get started as soon as possible. We were hoping to get this data import done much earlier, but there have been unforeseen delays. Below is the draft of the mass email that I plan to send to everyone who has access to the CA Community in Salesforce -- one message will be sent at the beginning of the data migration, and the other at the end. Please let me know if you have any feedback on this. Thanks, Kathleen == At beginning of migration day == Dear Certification Authority, Today, {!Today}, the Common CA Database (a.k.a. CA Community in Salesforce) will be offline while we import Microsoft’s root store data into the production database. During that time, the following things will happen: 1) You will not be able to login to the CA Community in Salesforce. 2) The urls to Mozilla’s public-facing reports will not work. Background on the Common CA Database may be found here: https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators I will send another email as soon as the data migration has been completed. I apologize for any inconvenience this causes. Regards, Kathleen Wilson Mozilla CA Program Manager == == At end of migration day == Dear Certification Authority, The work on the Common CA Database (a.k.a. CA Community in Salesforce) has been completed. Your access to the system and Mozilla's public-facing reports have been restored. You may notice the following: 1) Microsoft’s root store data has been imported and merged, so there are more CA Owner and Root Certificate records. 2) The “Status” field in the CA Owner and Root Certificate records has been changed to “Mozilla Status”. 3) There is a “Microsoft Fields” section in the page layout for CA Owner and Root Certificate records, and those fields can only be edited by Microsoft’s root store operator, Jody Cloutier. 4) There is a “Mozilla Fields” section in the page layout for the Root Certificate records and those fields can only be edited by Mozilla’s root store operator, Kathleen Wilson. 5) Mozilla’s public-facing reports should still only indicate information pertaining to Mozilla’s root store. Please reply to this email if you notice any issues with your CA’s data, or if you have any problems logging into the system. Regards, Kathleen Wilson Mozilla CA Program Manager == ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Salesforce offline Tuesday, June 28, for data import
All, I apologize for the delay. We are waiting for a signature on the agreement that must be completed before we can import the Microsoft root store data into production. It is looking like we may have to wait until tomorrow morning (PDT). In the meantime, public-facing reports are working, but access to the system is very limited because we don't want any changes going into the system until we finish the data import. I will provide status updates as things progress. Kathleen On 6/28/16 8:29 AM, Kathleen Wilson wrote: The work on this data migration is starting now. The CA Community in Salesforce (a.k.a. the Common CA Database) will be offline while we do this data migration. I have kicked off the process to send an email with subject "CA Community in Salesforce - Planned Outage - Starting Now" to everyone who has a login to the CA Community in Salesforce. Kathleen On 6/27/16 3:56 PM, Kathleen Wilson wrote: All, We are planning to do the import of the data corresponding to Microsoft's root store program into the CA Community in Salesforce, with the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the work to take 8 to 10 hours. I understand that many of you are working to get your intermediate certificate data entered by the end of June, so I will grant a reprieve of a few days for those of you who are impacted by the system being down tomorrow. Also, I had to postpone some of the mass importing of intermediate certificate data, and will resume that when I return from vacation. So, please understand that our target date of having the intermediate cert data entered by June 30 will be delayed a bit longer. Jody and I are hoping to get his data imported tomorrow, so that we have a day to recover and handle any fine tuning, before I go on vacation. We decided not to wait until after my vacation, because Jody has a lot of work to do on restoring his data, hopes to do the work once (not have to repeat), and wants to get started as soon as possible. We were hoping to get this data import done much earlier, but there have been unforeseen delays. Below is the draft of the mass email that I plan to send to everyone who has access to the CA Community in Salesforce -- one message will be sent at the beginning of the data migration, and the other at the end. Please let me know if you have any feedback on this. Thanks, Kathleen == At beginning of migration day == Dear Certification Authority, Today, {!Today}, the Common CA Database (a.k.a. CA Community in Salesforce) will be offline while we import Microsoft’s root store data into the production database. During that time, the following things will happen: 1) You will not be able to login to the CA Community in Salesforce. 2) The urls to Mozilla’s public-facing reports will not work. Background on the Common CA Database may be found here: https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators I will send another email as soon as the data migration has been completed. I apologize for any inconvenience this causes. Regards, Kathleen Wilson Mozilla CA Program Manager == == At end of migration day == Dear Certification Authority, The work on the Common CA Database (a.k.a. CA Community in Salesforce) has been completed. Your access to the system and Mozilla's public-facing reports have been restored. You may notice the following: 1) Microsoft’s root store data has been imported and merged, so there are more CA Owner and Root Certificate records. 2) The “Status” field in the CA Owner and Root Certificate records has been changed to “Mozilla Status”. 3) There is a “Microsoft Fields” section in the page layout for CA Owner and Root Certificate records, and those fields can only be edited by Microsoft’s root store operator, Jody Cloutier. 4) There is a “Mozilla Fields” section in the page layout for the Root Certificate records and those fields can only be edited by Mozilla’s root store operator, Kathleen Wilson. 5) Mozilla’s public-facing reports should still only indicate information pertaining to Mozilla’s root store. Please reply to this email if you notice any issues with your CA’s data, or if you have any problems logging into the system. Regards, Kathleen Wilson Mozilla CA Program Manager == ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Salesforce offline Tuesday, June 28, for data import
I would just like to highlight how worthwhile this outage is, since we're getting Microsoft and Mozilla using the same tool set for managing their root programs. Hopefully this will make things a lot easier for CAs in the long run, and just generally make the whole system run better. --Richard On Tue, Jun 28, 2016 at 11:29 AM, Kathleen Wilsonwrote: > The work on this data migration is starting now. The CA Community in > Salesforce (a.k.a. the Common CA Database) will be offline while we do this > data migration. > > I have kicked off the process to send an email with subject > "CA Community in Salesforce - Planned Outage - Starting Now" > to everyone who has a login to the CA Community in Salesforce. > > Kathleen > > > > > On 6/27/16 3:56 PM, Kathleen Wilson wrote: > >> All, >> >> We are planning to do the import of the data corresponding to >> Microsoft's root store program into the CA Community in Salesforce, with >> the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the >> work to take 8 to 10 hours. >> >> I understand that many of you are working to get your intermediate >> certificate data entered by the end of June, so I will grant a reprieve >> of a few days for those of you who are impacted by the system being down >> tomorrow. Also, I had to postpone some of the mass importing of >> intermediate certificate data, and will resume that when I return from >> vacation. So, please understand that our target date of having the >> intermediate cert data entered by June 30 will be delayed a bit longer. >> >> Jody and I are hoping to get his data imported tomorrow, so that we have >> a day to recover and handle any fine tuning, before I go on vacation. We >> decided not to wait until after my vacation, because Jody has a lot of >> work to do on restoring his data, hopes to do the work once (not have to >> repeat), and wants to get started as soon as possible. We were hoping to >> get this data import done much earlier, but there have been unforeseen >> delays. >> >> Below is the draft of the mass email that I plan to send to everyone who >> has access to the CA Community in Salesforce -- one message will be sent >> at the beginning of the data migration, and the other at the end. >> >> Please let me know if you have any feedback on this. >> >> Thanks, >> Kathleen >> >> == At beginning of migration day == >> >> Dear Certification Authority, >> >> Today, {!Today}, the Common CA Database (a.k.a. CA Community in >> Salesforce) will be offline while we import Microsoft’s root store data >> into the production database. >> >> During that time, the following things will happen: >> 1) You will not be able to login to the CA Community in Salesforce. >> 2) The urls to Mozilla’s public-facing reports will not work. >> >> Background on the Common CA Database may be found here: >> https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators >> >> I will send another email as soon as the data migration has been >> completed. >> >> I apologize for any inconvenience this causes. >> >> Regards, >> Kathleen Wilson >> Mozilla >> CA Program Manager >> == >> == At end of migration day == >> >> Dear Certification Authority, >> >> The work on the Common CA Database (a.k.a. CA Community in Salesforce) >> has been completed. Your access to the system and Mozilla's >> public-facing reports have been restored. >> >> You may notice the following: >> 1) Microsoft’s root store data has been imported and merged, so there >> are more CA Owner and Root Certificate records. >> 2) The “Status” field in the CA Owner and Root Certificate records has >> been changed to “Mozilla Status”. >> 3) There is a “Microsoft Fields” section in the page layout for CA Owner >> and Root Certificate records, and those fields can only be edited by >> Microsoft’s root store operator, Jody Cloutier. >> 4) There is a “Mozilla Fields” section in the page layout for the Root >> Certificate records and those fields can only be edited by Mozilla’s >> root store operator, Kathleen Wilson. >> 5) Mozilla’s public-facing reports should still only indicate >> information pertaining to Mozilla’s root store. >> >> Please reply to this email if you notice any issues with your CA’s data, >> or if you have any problems logging into the system. >> >> Regards, >> Kathleen Wilson >> Mozilla >> CA Program Manager >> == >> >> >> >> > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Salesforce offline Tuesday, June 28, for data import
The work on this data migration is starting now. The CA Community in Salesforce (a.k.a. the Common CA Database) will be offline while we do this data migration. I have kicked off the process to send an email with subject "CA Community in Salesforce - Planned Outage - Starting Now" to everyone who has a login to the CA Community in Salesforce. Kathleen On 6/27/16 3:56 PM, Kathleen Wilson wrote: All, We are planning to do the import of the data corresponding to Microsoft's root store program into the CA Community in Salesforce, with the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the work to take 8 to 10 hours. I understand that many of you are working to get your intermediate certificate data entered by the end of June, so I will grant a reprieve of a few days for those of you who are impacted by the system being down tomorrow. Also, I had to postpone some of the mass importing of intermediate certificate data, and will resume that when I return from vacation. So, please understand that our target date of having the intermediate cert data entered by June 30 will be delayed a bit longer. Jody and I are hoping to get his data imported tomorrow, so that we have a day to recover and handle any fine tuning, before I go on vacation. We decided not to wait until after my vacation, because Jody has a lot of work to do on restoring his data, hopes to do the work once (not have to repeat), and wants to get started as soon as possible. We were hoping to get this data import done much earlier, but there have been unforeseen delays. Below is the draft of the mass email that I plan to send to everyone who has access to the CA Community in Salesforce -- one message will be sent at the beginning of the data migration, and the other at the end. Please let me know if you have any feedback on this. Thanks, Kathleen == At beginning of migration day == Dear Certification Authority, Today, {!Today}, the Common CA Database (a.k.a. CA Community in Salesforce) will be offline while we import Microsoft’s root store data into the production database. During that time, the following things will happen: 1) You will not be able to login to the CA Community in Salesforce. 2) The urls to Mozilla’s public-facing reports will not work. Background on the Common CA Database may be found here: https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators I will send another email as soon as the data migration has been completed. I apologize for any inconvenience this causes. Regards, Kathleen Wilson Mozilla CA Program Manager == == At end of migration day == Dear Certification Authority, The work on the Common CA Database (a.k.a. CA Community in Salesforce) has been completed. Your access to the system and Mozilla's public-facing reports have been restored. You may notice the following: 1) Microsoft’s root store data has been imported and merged, so there are more CA Owner and Root Certificate records. 2) The “Status” field in the CA Owner and Root Certificate records has been changed to “Mozilla Status”. 3) There is a “Microsoft Fields” section in the page layout for CA Owner and Root Certificate records, and those fields can only be edited by Microsoft’s root store operator, Jody Cloutier. 4) There is a “Mozilla Fields” section in the page layout for the Root Certificate records and those fields can only be edited by Mozilla’s root store operator, Kathleen Wilson. 5) Mozilla’s public-facing reports should still only indicate information pertaining to Mozilla’s root store. Please reply to this email if you notice any issues with your CA’s data, or if you have any problems logging into the system. Regards, Kathleen Wilson Mozilla CA Program Manager == ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Salesforce offline Tuesday, June 28, for data import
All, We are planning to do the import of the data corresponding to Microsoft's root store program into the CA Community in Salesforce, with the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the work to take 8 to 10 hours. I understand that many of you are working to get your intermediate certificate data entered by the end of June, so I will grant a reprieve of a few days for those of you who are impacted by the system being down tomorrow. Also, I had to postpone some of the mass importing of intermediate certificate data, and will resume that when I return from vacation. So, please understand that our target date of having the intermediate cert data entered by June 30 will be delayed a bit longer. Jody and I are hoping to get his data imported tomorrow, so that we have a day to recover and handle any fine tuning, before I go on vacation. We decided not to wait until after my vacation, because Jody has a lot of work to do on restoring his data, hopes to do the work once (not have to repeat), and wants to get started as soon as possible. We were hoping to get this data import done much earlier, but there have been unforeseen delays. Below is the draft of the mass email that I plan to send to everyone who has access to the CA Community in Salesforce -- one message will be sent at the beginning of the data migration, and the other at the end. Please let me know if you have any feedback on this. Thanks, Kathleen == At beginning of migration day == Dear Certification Authority, Today, {!Today}, the Common CA Database (a.k.a. CA Community in Salesforce) will be offline while we import Microsoft’s root store data into the production database. During that time, the following things will happen: 1) You will not be able to login to the CA Community in Salesforce. 2) The urls to Mozilla’s public-facing reports will not work. Background on the Common CA Database may be found here: https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators I will send another email as soon as the data migration has been completed. I apologize for any inconvenience this causes. Regards, Kathleen Wilson Mozilla CA Program Manager == == At end of migration day == Dear Certification Authority, The work on the Common CA Database (a.k.a. CA Community in Salesforce) has been completed. Your access to the system and Mozilla's public-facing reports have been restored. You may notice the following: 1) Microsoft’s root store data has been imported and merged, so there are more CA Owner and Root Certificate records. 2) The “Status” field in the CA Owner and Root Certificate records has been changed to “Mozilla Status”. 3) There is a “Microsoft Fields” section in the page layout for CA Owner and Root Certificate records, and those fields can only be edited by Microsoft’s root store operator, Jody Cloutier. 4) There is a “Mozilla Fields” section in the page layout for the Root Certificate records and those fields can only be edited by Mozilla’s root store operator, Kathleen Wilson. 5) Mozilla’s public-facing reports should still only indicate information pertaining to Mozilla’s root store. Please reply to this email if you notice any issues with your CA’s data, or if you have any problems logging into the system. Regards, Kathleen Wilson Mozilla CA Program Manager == ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy