Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)

2016-08-16 Thread Nick Lamb 
Hello again Rob,

"ISRG Root X1" is listed as "Unconstrained id-kp-serverAuth Trust: Disclosure 
is required!"

I believe this root is now (or shortly will be) trusted directly by NSS, and so 
isn't an intermediate and shouldn't appear on the list.

Before it was added to NSS, it simply wasn't trusted at all, although it is 
seen in some CT logs. So I think under either circumstance it shouldn't be 
listed as "disclosure is required".
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)

2016-08-11 Thread Rob Stradling 

On 09/08/16 00:16, Kathleen Wilson wrote:


It seems to me that as long as a revoked intermediate certificate has
been disclosed (i.e. in Salesforce) that the certificates that it signed
do not need to be disclosed.


I've just changed "Probably!" to "Unknown" (for the "Unconstrained, but 
all unexpired observed paths Revoked" group on 
https://crt.sh/mozilla-disclosures).


"Unknown" is appropriate because crt.sh cannot know whether or not it 
has observed all of the paths that exist.




--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)

2016-08-08 Thread Rob Stradling 

On 08/08/16 10:25, Rob Stradling wrote:


Nick, Peter,

I looked at https://crt.sh/mozilla-disclosures immediately after the
Symantec cross-cert expired, and I was surprised to see no change.  I
was on holiday all last week, so I'm only just investigating it properly
now.

I suspect crt.sh is getting confused by the combination of the expired
Symantec cross-cert and the revoked Identrust cross-cert.  If they'd
both expired or both been revoked, I suspect this (presumed) bug would
not have been discovered.

I'm going to try changing
  "Unconstrained, but all observed paths Revoked"
to
  "Unconstrained, but all unexpired observed paths Revoked"


Bug fixed.

All of the FPKI intermediates now show up in this group:
https://crt.sh/mozilla-disclosures#trustrevoked

Note that crt.sh says "Disclosure is probably required!" for this group, 
as per Richard's suggestion to "err on the side of disclosing 
subordinates under a revoked certificate, with exceptions..." [1].


Richard did say he'd "be willing to make an exception for this specific 
case, since the Federal Bridge is a known issue" [2].


Kathleen,
Would it be possible to add a field (to Salesforce and to 
https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsRevokedCSVFormat) 
so that crt.sh can track these exceptions?



[1] 
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg03468.html


[2] 
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg03476.html


--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)

2016-08-08 Thread Rob Stradling 

On 02/08/16 14:46, Peter Bowen wrote:

On Tue, Aug 2, 2016 at 5:11 AM, Nick Lamb  wrote:

Rob, today I examined https://crt.sh/mozilla-disclosures because I was interested to see if the now 
expired signature from Symantec's "VeriSign Class 3 SSP Intermediate CA - G2" of 
"Federal Bridge CA 2013" had the expected effect.

I understand that traversing a network with known and potentially unknown loops in it is 
tricky to do correctly, so I am not sure whether the fact that a large number of "US 
Government" CAs are still listed as Unconstrained id-kp-serverAuth Trust reflects a 
problem with that traversal or a real, previously undetected trust relationship that I 
wasn't able to spot by eye.


Nick,

I believe this to be a bug in crt.sh. I have a local copy of all the
cross-certificates and the US Federal PKI and subordinate CAs from
there do not appear in the current trust graph.

Thanks,
Peter


Nick, Peter,

I looked at https://crt.sh/mozilla-disclosures immediately after the 
Symantec cross-cert expired, and I was surprised to see no change.  I 
was on holiday all last week, so I'm only just investigating it properly 
now.


I suspect crt.sh is getting confused by the combination of the expired 
Symantec cross-cert and the revoked Identrust cross-cert.  If they'd 
both expired or both been revoked, I suspect this (presumed) bug would 
not have been discovered.


I'm going to try changing
  "Unconstrained, but all observed paths Revoked"
to
  "Unconstrained, but all unexpired observed paths Revoked"

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)

2016-07-19 Thread Rob Stradling 

On 27/06/16 23:56, Kathleen Wilson wrote:


I understand that many of you are working to get your intermediate
certificate data entered by the end of June, so I will grant a reprieve
of a few days for those of you who are impacted by the system being down
tomorrow. Also, I had to postpone some of the mass importing of
intermediate certificate data, and will resume that when I return from
vacation. So, please understand that our target date of having the
intermediate cert data entered by June 30 will be delayed a bit longer.


Another friendly reminder to all CA representatives:

Mozilla's March 2016 CA Communication [1] required you to enter the 
following details into the CA Community in Salesforce...

  - "the full PEM data"
  - "CP/CPS and audit statements"
...for "every intermediate certificate that directly or transitively 
chains to your included root certificates, provided that the root 
certificate is enabled with the Websites trust bit and the intermediate 
certificate is not Technically Constrained".


You indicated [2] that you were aware of this requirement and that you 
planned to comply by 30th June 2016 (except for: "Government of Japan, 
Ministry of Internal Affairs and Communications", who plan to respond by 
31th March 2017; and HARICA, who plan to respond by 5th June 2018).


An astonishing 45% of the applicable intermediate certificates that are 
known to the Certificate Transparency logs have not yet been fully 
disclosed in Salesforce!!


I'd like to encourage you ALL to review the crt.sh report [3] and to 
check your own records for any other intermediate certificates (that are 
not yet known to CT) that you need to disclose.


Also, please note that I've just split out 2 new groups [3] from the 
"Disclosed" group:
  - "Disclosure Incomplete": Intermediate certificates for which "the 
full PEM data" has been provided but either/both of the "CP/CPS and 
audit statements" have not been provided.
  - "Disclosed, but with Errors": The necessary data has been provided, 
but Salesforce shows the following error message:

   "For intermediate certificates, Parent Certificate Name must be the
certificate's Issuer Common Name or Issuer Organization. Additional
characters may be added at the end of the name, but must be kept
consistent within the hierarchy."

The "Disclosure Incomplete", "Unconstrained id-kp-serverAuth Trust", 
"Unconstrained, but all observed paths Revoked", "Disclosed, but with 
Errors" and "Unknown to crt.sh or Incorrectly Encoded" groups all need 
to become empty.



[1] 
https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o00iHdtx


[2] 
https://mozillacaprogram.secure.force.com/Communications/CACommSummaryReport?CommunicationID=a05o00iHdtx


[3] https://crt.sh/mozilla-disclosures

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Salesforce offline Tuesday, June 28, for data import

2016-06-29 Thread Kathleen Wilson 
The data migration has happened, and I have reviewed the data in the 
production DB. We will need to do some tweaking/fixing over then next 
couple of weeks, but I think we're good to go.


So, we will begin restoring access to the system, and I will send the 
"end of service outage" notice as soon as it has all been restored.


Kathleen


On 6/28/16 8:57 PM, Kathleen Wilson wrote:

All,

The signature that we were waiting for has happened, so we will continue
with the data migration. The public-facing reports will not be available
when the data import is happening, and until we have verified the data.

Kathleen


On 6/28/16 7:56 PM, Kathleen Wilson wrote:

All,

I apologize for the delay. We are waiting for a signature on the
agreement that must be completed before we can import the Microsoft root
store data into production. It is looking like we may have to wait until
tomorrow morning (PDT).

In the meantime, public-facing reports are working, but access to the
system is very limited because we don't want any changes going into the
system until we finish the data import.

I will provide status updates as things progress.

Kathleen



On 6/28/16 8:29 AM, Kathleen Wilson wrote:

The work on this data migration is starting now. The CA Community in
Salesforce (a.k.a. the Common CA Database) will be offline while we do
this data migration.

I have kicked off the process to send an email with subject
"CA Community in Salesforce - Planned Outage - Starting Now"
to everyone who has a login to the CA Community in Salesforce.

Kathleen



On 6/27/16 3:56 PM, Kathleen Wilson wrote:

All,

We are planning to do the import of the data corresponding to
Microsoft's root store program into the CA Community in Salesforce,
with
the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the
work to take 8 to 10 hours.

I understand that many of you are working to get your intermediate
certificate data entered by the end of June, so I will grant a reprieve
of a few days for those of you who are impacted by the system being
down
tomorrow. Also, I had to postpone some of the mass importing of
intermediate certificate data, and will resume that when I return from
vacation. So, please understand that our target date of having the
intermediate cert data entered by June 30 will be delayed a bit longer.

Jody and I are hoping to get his data imported tomorrow, so that we
have
a day to recover and handle any fine tuning, before I go on
vacation. We
decided not to wait until after my vacation, because Jody has a lot of
work to do on restoring his data, hopes to do the work once (not
have to
repeat), and wants to get started as soon as possible. We were
hoping to
get this data import done much earlier, but there have been unforeseen
delays.

Below is the draft of the mass email that I plan to send to everyone
who
has access to the CA Community in Salesforce -- one message will be
sent
at the beginning of the data migration, and the other at the end.

Please let me know if you have any feedback on this.

Thanks,
Kathleen

== At beginning of migration day ==

Dear Certification Authority,

Today, {!Today}, the Common CA Database (a.k.a. CA Community in
Salesforce) will be offline while we import Microsoft’s root store data
into the production database.

During that time, the following things will happen:
1) You will not be able to login to the CA Community in Salesforce.
2) The urls to Mozilla’s public-facing reports will not work.

Background on the Common CA Database may be found here:
https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators

I will send another email as soon as the data migration has been
completed.

I apologize for any inconvenience this causes.

Regards,
Kathleen Wilson
Mozilla
CA Program Manager
==
== At end of migration day ==

Dear Certification Authority,

The work on the Common CA Database (a.k.a. CA Community in Salesforce)
has been completed. Your access to the system and Mozilla's
public-facing reports have been restored.

You may notice the following:
1) Microsoft’s root store data has been imported and merged, so there
are more CA Owner and Root Certificate records.
2) The “Status” field in the CA Owner and Root Certificate records has
been changed to “Mozilla Status”.
3) There is a “Microsoft Fields” section in the page layout for CA
Owner
and Root Certificate records, and those fields can only be edited by
Microsoft’s root store operator, Jody Cloutier.
4) There is a “Mozilla Fields” section in the page layout for the Root
Certificate records and those fields can only be edited by Mozilla’s
root store operator, Kathleen Wilson.
5) Mozilla’s public-facing reports should still only indicate
information pertaining to Mozilla’s root store.

Please reply to this email if you notice any issues with your CA’s
data,
or if you have any problems logging into the system.

Regards,
Kathleen Wilson
Mozilla
CA Program Manager
==











___

Re: Salesforce offline Tuesday, June 28, for data import

2016-06-28 Thread Kathleen Wilson 

All,

The signature that we were waiting for has happened, so we will continue 
with the data migration. The public-facing reports will not be available 
when the data import is happening, and until we have verified the data.


Kathleen


On 6/28/16 7:56 PM, Kathleen Wilson wrote:

All,

I apologize for the delay. We are waiting for a signature on the
agreement that must be completed before we can import the Microsoft root
store data into production. It is looking like we may have to wait until
tomorrow morning (PDT).

In the meantime, public-facing reports are working, but access to the
system is very limited because we don't want any changes going into the
system until we finish the data import.

I will provide status updates as things progress.

Kathleen



On 6/28/16 8:29 AM, Kathleen Wilson wrote:

The work on this data migration is starting now. The CA Community in
Salesforce (a.k.a. the Common CA Database) will be offline while we do
this data migration.

I have kicked off the process to send an email with subject
"CA Community in Salesforce - Planned Outage - Starting Now"
to everyone who has a login to the CA Community in Salesforce.

Kathleen



On 6/27/16 3:56 PM, Kathleen Wilson wrote:

All,

We are planning to do the import of the data corresponding to
Microsoft's root store program into the CA Community in Salesforce, with
the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the
work to take 8 to 10 hours.

I understand that many of you are working to get your intermediate
certificate data entered by the end of June, so I will grant a reprieve
of a few days for those of you who are impacted by the system being down
tomorrow. Also, I had to postpone some of the mass importing of
intermediate certificate data, and will resume that when I return from
vacation. So, please understand that our target date of having the
intermediate cert data entered by June 30 will be delayed a bit longer.

Jody and I are hoping to get his data imported tomorrow, so that we have
a day to recover and handle any fine tuning, before I go on vacation. We
decided not to wait until after my vacation, because Jody has a lot of
work to do on restoring his data, hopes to do the work once (not have to
repeat), and wants to get started as soon as possible. We were hoping to
get this data import done much earlier, but there have been unforeseen
delays.

Below is the draft of the mass email that I plan to send to everyone who
has access to the CA Community in Salesforce -- one message will be sent
at the beginning of the data migration, and the other at the end.

Please let me know if you have any feedback on this.

Thanks,
Kathleen

== At beginning of migration day ==

Dear Certification Authority,

Today, {!Today}, the Common CA Database (a.k.a. CA Community in
Salesforce) will be offline while we import Microsoft’s root store data
into the production database.

During that time, the following things will happen:
1) You will not be able to login to the CA Community in Salesforce.
2) The urls to Mozilla’s public-facing reports will not work.

Background on the Common CA Database may be found here:
https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators

I will send another email as soon as the data migration has been
completed.

I apologize for any inconvenience this causes.

Regards,
Kathleen Wilson
Mozilla
CA Program Manager
==
== At end of migration day ==

Dear Certification Authority,

The work on the Common CA Database (a.k.a. CA Community in Salesforce)
has been completed. Your access to the system and Mozilla's
public-facing reports have been restored.

You may notice the following:
1) Microsoft’s root store data has been imported and merged, so there
are more CA Owner and Root Certificate records.
2) The “Status” field in the CA Owner and Root Certificate records has
been changed to “Mozilla Status”.
3) There is a “Microsoft Fields” section in the page layout for CA Owner
and Root Certificate records, and those fields can only be edited by
Microsoft’s root store operator, Jody Cloutier.
4) There is a “Mozilla Fields” section in the page layout for the Root
Certificate records and those fields can only be edited by Mozilla’s
root store operator, Kathleen Wilson.
5) Mozilla’s public-facing reports should still only indicate
information pertaining to Mozilla’s root store.

Please reply to this email if you notice any issues with your CA’s data,
or if you have any problems logging into the system.

Regards,
Kathleen Wilson
Mozilla
CA Program Manager
==









___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Salesforce offline Tuesday, June 28, for data import

2016-06-28 Thread Kathleen Wilson 

All,

I apologize for the delay. We are waiting for a signature on the 
agreement that must be completed before we can import the Microsoft root 
store data into production. It is looking like we may have to wait until 
tomorrow morning (PDT).


In the meantime, public-facing reports are working, but access to the 
system is very limited because we don't want any changes going into the 
system until we finish the data import.


I will provide status updates as things progress.

Kathleen



On 6/28/16 8:29 AM, Kathleen Wilson wrote:

The work on this data migration is starting now. The CA Community in
Salesforce (a.k.a. the Common CA Database) will be offline while we do
this data migration.

I have kicked off the process to send an email with subject
"CA Community in Salesforce - Planned Outage - Starting Now"
to everyone who has a login to the CA Community in Salesforce.

Kathleen



On 6/27/16 3:56 PM, Kathleen Wilson wrote:

All,

We are planning to do the import of the data corresponding to
Microsoft's root store program into the CA Community in Salesforce, with
the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the
work to take 8 to 10 hours.

I understand that many of you are working to get your intermediate
certificate data entered by the end of June, so I will grant a reprieve
of a few days for those of you who are impacted by the system being down
tomorrow. Also, I had to postpone some of the mass importing of
intermediate certificate data, and will resume that when I return from
vacation. So, please understand that our target date of having the
intermediate cert data entered by June 30 will be delayed a bit longer.

Jody and I are hoping to get his data imported tomorrow, so that we have
a day to recover and handle any fine tuning, before I go on vacation. We
decided not to wait until after my vacation, because Jody has a lot of
work to do on restoring his data, hopes to do the work once (not have to
repeat), and wants to get started as soon as possible. We were hoping to
get this data import done much earlier, but there have been unforeseen
delays.

Below is the draft of the mass email that I plan to send to everyone who
has access to the CA Community in Salesforce -- one message will be sent
at the beginning of the data migration, and the other at the end.

Please let me know if you have any feedback on this.

Thanks,
Kathleen

== At beginning of migration day ==

Dear Certification Authority,

Today, {!Today}, the Common CA Database (a.k.a. CA Community in
Salesforce) will be offline while we import Microsoft’s root store data
into the production database.

During that time, the following things will happen:
1) You will not be able to login to the CA Community in Salesforce.
2) The urls to Mozilla’s public-facing reports will not work.

Background on the Common CA Database may be found here:
https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators

I will send another email as soon as the data migration has been
completed.

I apologize for any inconvenience this causes.

Regards,
Kathleen Wilson
Mozilla
CA Program Manager
==
== At end of migration day ==

Dear Certification Authority,

The work on the Common CA Database (a.k.a. CA Community in Salesforce)
has been completed. Your access to the system and Mozilla's
public-facing reports have been restored.

You may notice the following:
1) Microsoft’s root store data has been imported and merged, so there
are more CA Owner and Root Certificate records.
2) The “Status” field in the CA Owner and Root Certificate records has
been changed to “Mozilla Status”.
3) There is a “Microsoft Fields” section in the page layout for CA Owner
and Root Certificate records, and those fields can only be edited by
Microsoft’s root store operator, Jody Cloutier.
4) There is a “Mozilla Fields” section in the page layout for the Root
Certificate records and those fields can only be edited by Mozilla’s
root store operator, Kathleen Wilson.
5) Mozilla’s public-facing reports should still only indicate
information pertaining to Mozilla’s root store.

Please reply to this email if you notice any issues with your CA’s data,
or if you have any problems logging into the system.

Regards,
Kathleen Wilson
Mozilla
CA Program Manager
==







___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Salesforce offline Tuesday, June 28, for data import

2016-06-28 Thread Richard Barnes 
I would just like to highlight how worthwhile this outage is, since we're
getting Microsoft and Mozilla using the same tool set for managing their
root programs.  Hopefully this will make things a lot easier for CAs in the
long run, and just generally make the whole system run better.

--Richard

On Tue, Jun 28, 2016 at 11:29 AM, Kathleen Wilson 
wrote:

> The work on this data migration is starting now. The CA Community in
> Salesforce (a.k.a. the Common CA Database) will be offline while we do this
> data migration.
>
> I have kicked off the process to send an email with subject
> "CA Community in Salesforce - Planned Outage - Starting Now"
> to everyone who has a login to the CA Community in Salesforce.
>
> Kathleen
>
>
>
>
> On 6/27/16 3:56 PM, Kathleen Wilson wrote:
>
>> All,
>>
>> We are planning to do the import of the data corresponding to
>> Microsoft's root store program into the CA Community in Salesforce, with
>> the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the
>> work to take 8 to 10 hours.
>>
>> I understand that many of you are working to get your intermediate
>> certificate data entered by the end of June, so I will grant a reprieve
>> of a few days for those of you who are impacted by the system being down
>> tomorrow. Also, I had to postpone some of the mass importing of
>> intermediate certificate data, and will resume that when I return from
>> vacation. So, please understand that our target date of having the
>> intermediate cert data entered by June 30 will be delayed a bit longer.
>>
>> Jody and I are hoping to get his data imported tomorrow, so that we have
>> a day to recover and handle any fine tuning, before I go on vacation. We
>> decided not to wait until after my vacation, because Jody has a lot of
>> work to do on restoring his data, hopes to do the work once (not have to
>> repeat), and wants to get started as soon as possible. We were hoping to
>> get this data import done much earlier, but there have been unforeseen
>> delays.
>>
>> Below is the draft of the mass email that I plan to send to everyone who
>> has access to the CA Community in Salesforce -- one message will be sent
>> at the beginning of the data migration, and the other at the end.
>>
>> Please let me know if you have any feedback on this.
>>
>> Thanks,
>> Kathleen
>>
>> == At beginning of migration day ==
>>
>> Dear Certification Authority,
>>
>> Today, {!Today}, the Common CA Database (a.k.a. CA Community in
>> Salesforce) will be offline while we import Microsoft’s root store data
>> into the production database.
>>
>> During that time, the following things will happen:
>> 1) You will not be able to login to the CA Community in Salesforce.
>> 2) The urls to Mozilla’s public-facing reports will not work.
>>
>> Background on the Common CA Database may be found here:
>> https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators
>>
>> I will send another email as soon as the data migration has been
>> completed.
>>
>> I apologize for any inconvenience this causes.
>>
>> Regards,
>> Kathleen Wilson
>> Mozilla
>> CA Program Manager
>> ==
>> == At end of migration day ==
>>
>> Dear Certification Authority,
>>
>> The work on the Common CA Database (a.k.a. CA Community in Salesforce)
>> has been completed. Your access to the system and Mozilla's
>> public-facing reports have been restored.
>>
>> You may notice the following:
>> 1) Microsoft’s root store data has been imported and merged, so there
>> are more CA Owner and Root Certificate records.
>> 2) The “Status” field in the CA Owner and Root Certificate records has
>> been changed to “Mozilla Status”.
>> 3) There is a “Microsoft Fields” section in the page layout for CA Owner
>> and Root Certificate records, and those fields can only be edited by
>> Microsoft’s root store operator, Jody Cloutier.
>> 4) There is a “Mozilla Fields” section in the page layout for the Root
>> Certificate records and those fields can only be edited by Mozilla’s
>> root store operator, Kathleen Wilson.
>> 5) Mozilla’s public-facing reports should still only indicate
>> information pertaining to Mozilla’s root store.
>>
>> Please reply to this email if you notice any issues with your CA’s data,
>> or if you have any problems logging into the system.
>>
>> Regards,
>> Kathleen Wilson
>> Mozilla
>> CA Program Manager
>> ==
>>
>>
>>
>>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Salesforce offline Tuesday, June 28, for data import

2016-06-28 Thread Kathleen Wilson 
The work on this data migration is starting now. The CA Community in 
Salesforce (a.k.a. the Common CA Database) will be offline while we do 
this data migration.


I have kicked off the process to send an email with subject
"CA Community in Salesforce - Planned Outage - Starting Now"
to everyone who has a login to the CA Community in Salesforce.

Kathleen



On 6/27/16 3:56 PM, Kathleen Wilson wrote:

All,

We are planning to do the import of the data corresponding to
Microsoft's root store program into the CA Community in Salesforce, with
the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the
work to take 8 to 10 hours.

I understand that many of you are working to get your intermediate
certificate data entered by the end of June, so I will grant a reprieve
of a few days for those of you who are impacted by the system being down
tomorrow. Also, I had to postpone some of the mass importing of
intermediate certificate data, and will resume that when I return from
vacation. So, please understand that our target date of having the
intermediate cert data entered by June 30 will be delayed a bit longer.

Jody and I are hoping to get his data imported tomorrow, so that we have
a day to recover and handle any fine tuning, before I go on vacation. We
decided not to wait until after my vacation, because Jody has a lot of
work to do on restoring his data, hopes to do the work once (not have to
repeat), and wants to get started as soon as possible. We were hoping to
get this data import done much earlier, but there have been unforeseen
delays.

Below is the draft of the mass email that I plan to send to everyone who
has access to the CA Community in Salesforce -- one message will be sent
at the beginning of the data migration, and the other at the end.

Please let me know if you have any feedback on this.

Thanks,
Kathleen

== At beginning of migration day ==

Dear Certification Authority,

Today, {!Today}, the Common CA Database (a.k.a. CA Community in
Salesforce) will be offline while we import Microsoft’s root store data
into the production database.

During that time, the following things will happen:
1) You will not be able to login to the CA Community in Salesforce.
2) The urls to Mozilla’s public-facing reports will not work.

Background on the Common CA Database may be found here:
https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators

I will send another email as soon as the data migration has been completed.

I apologize for any inconvenience this causes.

Regards,
Kathleen Wilson
Mozilla
CA Program Manager
==
== At end of migration day ==

Dear Certification Authority,

The work on the Common CA Database (a.k.a. CA Community in Salesforce)
has been completed. Your access to the system and Mozilla's
public-facing reports have been restored.

You may notice the following:
1) Microsoft’s root store data has been imported and merged, so there
are more CA Owner and Root Certificate records.
2) The “Status” field in the CA Owner and Root Certificate records has
been changed to “Mozilla Status”.
3) There is a “Microsoft Fields” section in the page layout for CA Owner
and Root Certificate records, and those fields can only be edited by
Microsoft’s root store operator, Jody Cloutier.
4) There is a “Mozilla Fields” section in the page layout for the Root
Certificate records and those fields can only be edited by Mozilla’s
root store operator, Kathleen Wilson.
5) Mozilla’s public-facing reports should still only indicate
information pertaining to Mozilla’s root store.

Please reply to this email if you notice any issues with your CA’s data,
or if you have any problems logging into the system.

Regards,
Kathleen Wilson
Mozilla
CA Program Manager
==





___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Salesforce offline Tuesday, June 28, for data import

2016-06-27 Thread Kathleen Wilson 

All,

We are planning to do the import of the data corresponding to 
Microsoft's root store program into the CA Community in Salesforce, with 
the hopeful start time of 8:00am PDT on Tuesday, June 28. We expect the 
work to take 8 to 10 hours.


I understand that many of you are working to get your intermediate 
certificate data entered by the end of June, so I will grant a reprieve 
of a few days for those of you who are impacted by the system being down 
tomorrow. Also, I had to postpone some of the mass importing of 
intermediate certificate data, and will resume that when I return from 
vacation. So, please understand that our target date of having the 
intermediate cert data entered by June 30 will be delayed a bit longer.


Jody and I are hoping to get his data imported tomorrow, so that we have 
a day to recover and handle any fine tuning, before I go on vacation. We 
decided not to wait until after my vacation, because Jody has a lot of 
work to do on restoring his data, hopes to do the work once (not have to 
repeat), and wants to get started as soon as possible. We were hoping to 
get this data import done much earlier, but there have been unforeseen 
delays.


Below is the draft of the mass email that I plan to send to everyone who 
has access to the CA Community in Salesforce -- one message will be sent 
at the beginning of the data migration, and the other at the end.


Please let me know if you have any feedback on this.

Thanks,
Kathleen

== At beginning of migration day ==

Dear Certification Authority,

Today, {!Today}, the Common CA Database (a.k.a. CA Community in
Salesforce) will be offline while we import Microsoft’s root store data 
into the production database.


During that time, the following things will happen:
1) You will not be able to login to the CA Community in Salesforce.
2) The urls to Mozilla’s public-facing reports will not work.

Background on the Common CA Database may be found here:
https://wiki.mozilla.org/CA:CommonCADatabase:RootStoreOperators

I will send another email as soon as the data migration has been completed.

I apologize for any inconvenience this causes.

Regards,
Kathleen Wilson
Mozilla
CA Program Manager
==
== At end of migration day ==

Dear Certification Authority,

The work on the Common CA Database (a.k.a. CA Community in Salesforce) 
has been completed. Your access to the system and Mozilla's 
public-facing reports have been restored.


You may notice the following:
1) Microsoft’s root store data has been imported and merged, so there 
are more CA Owner and Root Certificate records.
2) The “Status” field in the CA Owner and Root Certificate records has 
been changed to “Mozilla Status”.
3) There is a “Microsoft Fields” section in the page layout for CA Owner 
and Root Certificate records, and those fields can only be edited by 
Microsoft’s root store operator, Jody Cloutier.
4) There is a “Mozilla Fields” section in the page layout for the Root 
Certificate records and those fields can only be edited by Mozilla’s 
root store operator, Kathleen Wilson.
5) Mozilla’s public-facing reports should still only indicate 
information pertaining to Mozilla’s root store.


Please reply to this email if you notice any issues with your CA’s data, 
or if you have any problems logging into the system.


Regards,
Kathleen Wilson
Mozilla
CA Program Manager
==



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy