Changes recommended so far: == Root Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text == Intermediate Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text * Filter out technically-constrained (via EKU and Name Constraints) certs == Intermediate Certs with no audit information provided == == Intermediate Certs with no CP/CPS information provided == == Intermediate Certs missing Subordinate CA Owner or Auditor Info == * Combine these 3 reports into one report, with a column indicating what is missing (audit, CP/CPS, subCA name, auditor info) * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report == Intermediate Certs with Failed ALV Results == == Intermediate Certs with Failed ALV Results for EV SSL == * Combine these 2 reports into one report. * Check computation of Derived Trust bits, to add Apple -- look into making this filter independent -- e.g. so only the root cert and intermediate cert logic need to be updated when the other root stores start maintaining this information. * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Filter out technically-constrained (via EKU and Name Constraints) certs Columns for combined report: * Certificate Name (clickable link) * SHA-256 Fingerprint * Root Cert Summary Status (all root stores) * Audits Same As Parent * Audit Statement Dates -- Lists Standard, BR, and EV with their audit statement dates -- BR and EV dates should be empty if Server Authentication not in Derived Trust Bits -- EV date should be empty if not EV capable * ALV Found Cert -- Lists Standard, BR, and EV with their ALV found cert status of PASS or FAIL or empty (when not applicable) * ALV Comments -- List Standard, BR, and EV, with each of their ALV Comments (limit displayed text, but show all with hover-over. == Intermediate Certs with Failed ALV Results for Code Signing == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. == Intermediate Certificates with missing Full CRL == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses.
Bug 1734497 Comment 1 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Per the [CCADB Steering Committee](https://docs.google.com/document/d/1-w4FpfDKboL6bBnRa73Eelu0UCKvl3jt4ryE7R0Lc5U/edit) meeting on December 2, Changes recommended so far: == Root Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text == Intermediate Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text * Filter out technically-constrained (via EKU and Name Constraints) certs == Intermediate Certs with no audit information provided == == Intermediate Certs with no CP/CPS information provided == == Intermediate Certs missing Subordinate CA Owner or Auditor Info == * Combine these 3 reports into one report, with a column indicating what is missing (audit, CP/CPS, subCA name, auditor info) * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report == Intermediate Certs with Failed ALV Results == == Intermediate Certs with Failed ALV Results for EV SSL == * Combine these 2 reports into one report. * Check computation of Derived Trust bits, to add Apple -- look into making this filter independent -- e.g. so only the root cert and intermediate cert logic need to be updated when the other root stores start maintaining this information. * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Filter out technically-constrained (via EKU and Name Constraints) certs Columns for combined report: * Certificate Name (clickable link) * SHA-256 Fingerprint * Root Cert Summary Status (all root stores) * Audits Same As Parent * Audit Statement Dates -- Lists Standard, BR, and EV with their audit statement dates -- BR and EV dates should be empty if Server Authentication not in Derived Trust Bits -- EV date should be empty if not EV capable * ALV Found Cert -- Lists Standard, BR, and EV with their ALV found cert status of PASS or FAIL or empty (when not applicable) * ALV Comments -- List Standard, BR, and EV, with each of their ALV Comments (limit displayed text, but show all with hover-over. == Intermediate Certs with Failed ALV Results for Code Signing == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. == Intermediate Certificates with missing Full CRL == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses.
Per the [CCADB Steering Committee](https://docs.google.com/document/d/1-w4FpfDKboL6bBnRa73Eelu0UCKvl3jt4ryE7R0Lc5U/edit) meeting on December 2, Changes recommended so far: == Root Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text == Intermediate Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text * Filter out technically-constrained (via EKU and Name Constraints) certs, expired certs, and revoked certs == Intermediate Certs with no audit information provided == == Intermediate Certs with no CP/CPS information provided == == Intermediate Certs missing Subordinate CA Owner or Auditor Info == * Combine these 3 reports into one report, with a column indicating what is missing (audit, CP/CPS, subCA name, auditor info) * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report == Intermediate Certs with Failed ALV Results == == Intermediate Certs with Failed ALV Results for EV SSL == * Combine these 2 reports into one report. * Check computation of Derived Trust bits, to add Apple -- look into making this filter independent -- e.g. so only the root cert and intermediate cert logic need to be updated when the other root stores start maintaining this information. * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Filter out technically-constrained (via EKU and Name Constraints) certs Columns for combined report: * Certificate Name (clickable link) * SHA-256 Fingerprint * Root Cert Summary Status (all root stores) * Audits Same As Parent * Audit Statement Dates -- Lists Standard, BR, and EV with their audit statement dates -- BR and EV dates should be empty if Server Authentication not in Derived Trust Bits -- EV date should be empty if not EV capable * ALV Found Cert -- Lists Standard, BR, and EV with their ALV found cert status of PASS or FAIL or empty (when not applicable) * ALV Comments -- List Standard, BR, and EV, with each of their ALV Comments (limit displayed text, but show all with hover-over. == Intermediate Certs with Failed ALV Results for Code Signing == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. == Intermediate Certificates with missing Full CRL == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses.
Per the [CCADB Steering Committee](https://docs.google.com/document/d/1-w4FpfDKboL6bBnRa73Eelu0UCKvl3jt4ryE7R0Lc5U/edit) meeting on December 2, Changes recommended so far: == Root Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text == Intermediate Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text * Filter out technically-constrained certs, expired certs, and revoked certs == Intermediate Certs with no audit information provided == == Intermediate Certs with no CP/CPS information provided == == Intermediate Certs missing Subordinate CA Owner or Auditor Info == * Combine these 3 reports into one report, with a column indicating what is missing (audit, CP/CPS, subCA name, auditor info) * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report == Intermediate Certs with Failed ALV Results == == Intermediate Certs with Failed ALV Results for EV SSL == * Combine these 2 reports into one report. * Check computation of Derived Trust bits, to add Apple -- look into making this filter independent -- e.g. so only the root cert and intermediate cert logic need to be updated when the other root stores start maintaining this information. * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Filter out technically-constrained (via EKU and Name Constraints) certs Columns for combined report: * Certificate Name (clickable link) * SHA-256 Fingerprint * Root Cert Summary Status (all root stores) * Audits Same As Parent * Audit Statement Dates -- Lists Standard, BR, and EV with their audit statement dates -- BR and EV dates should be empty if Server Authentication not in Derived Trust Bits -- EV date should be empty if not EV capable * ALV Found Cert -- Lists Standard, BR, and EV with their ALV found cert status of PASS or FAIL or empty (when not applicable) * ALV Comments -- List Standard, BR, and EV, with each of their ALV Comments (limit displayed text, but show all with hover-over. == Intermediate Certs with Failed ALV Results for Code Signing == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. == Intermediate Certificates with missing Full CRL == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses.
Per the [CCADB Steering Committee](https://docs.google.com/document/d/1-w4FpfDKboL6bBnRa73Eelu0UCKvl3jt4ryE7R0Lc5U/edit) meeting on December 2, Changes recommended so far: == Root Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text == Intermediate Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text * Filter out technically-constrained certs, expired certs, and revoked certs == Intermediate Certs with no audit information provided == == Intermediate Certs with no CP/CPS information provided == == Intermediate Certs missing Subordinate CA Owner or Auditor Info == * Combine these 3 reports into one report, with a column indicating what is missing (audit, CP/CPS, subCA name, auditor info) * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Filter out technically-constrained certs, expired certs, and revoked certs == Intermediate Certs with Failed ALV Results == == Intermediate Certs with Failed ALV Results for EV SSL == * Combine these 2 reports into one report. * Check computation of Derived Trust bits, to add Apple -- look into making this filter independent -- e.g. so only the root cert and intermediate cert logic need to be updated when the other root stores start maintaining this information. * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Filter out technically-constrained (via EKU and Name Constraints) certs Columns for combined report: * Certificate Name (clickable link) * SHA-256 Fingerprint * Root Cert Summary Status (all root stores) * Audits Same As Parent * Audit Statement Dates -- Lists Standard, BR, and EV with their audit statement dates -- BR and EV dates should be empty if Server Authentication not in Derived Trust Bits -- EV date should be empty if not EV capable * ALV Found Cert -- Lists Standard, BR, and EV with their ALV found cert status of PASS or FAIL or empty (when not applicable) * ALV Comments -- List Standard, BR, and EV, with each of their ALV Comments (limit displayed text, but show all with hover-over. == Intermediate Certs with Failed ALV Results for Code Signing == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. == Intermediate Certificates with missing Full CRL == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses.
Per the [CCADB Steering Committee](https://docs.google.com/document/d/1-w4FpfDKboL6bBnRa73Eelu0UCKvl3jt4ryE7R0Lc5U/edit) meeting on December 2, Changes recommended so far: == Root Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text == Intermediate Certs with Outdated Audit Statements == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Add light background color-coding to the report -- Green - (audit end date < Today - (396 + 30)) -- Yellow - (audit end date < Today - (396 + 60)) -- Red - (audit end date < Today - (396 + 90)), bold the text * Filter out technically-constrained certs, expired certs, and revoked certs == Intermediate Certs with no audit information provided == == Intermediate Certs with no CP/CPS information provided == == Intermediate Certs missing Subordinate CA Owner or Auditor Info == * Combine these 3 reports into one report, with a column indicating what is missing (audit, CP/CPS, subCA name, auditor info) * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Filter out technically-constrained certs, expired certs, and revoked certs == Intermediate Certs with Failed ALV Results == == Intermediate Certs with Failed ALV Results for EV SSL == * Combine these 2 reports into one report. * Check computation of Derived Trust bits, to add Apple -- look into making this filter independent -- e.g. so only the root cert and intermediate cert logic need to be updated when the other root stores start maintaining this information. * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Add the Root Certificate Store Summary Status field column to the report * Filter out technically-constrained certs, expired certs, and revoked certs Columns for combined report: * Certificate Name (clickable link) * SHA-256 Fingerprint * Root Cert Summary Status (all root stores) * Audits Same As Parent * Audit Statement Dates -- Lists Standard, BR, and EV with their audit statement dates -- BR and EV dates should be empty if Server Authentication not in Derived Trust Bits -- EV date should be empty if not EV capable * ALV Found Cert -- Lists Standard, BR, and EV with their ALV found cert status of PASS or FAIL or empty (when not applicable) * ALV Comments -- List Standard, BR, and EV, with each of their ALV Comments (limit displayed text, but show all with hover-over. == Intermediate Certs with Failed ALV Results for Code Signing == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Filter out expired certs and revoked certs == Intermediate Certificates with missing Full CRL == * Use the Root Certificate Store Summary Status field, and check if any of the statuses there-in contain included or change requested. So the filter logic will not have to be updated later when additional root stores add their statuses. * Filter out expired certs and revoked certs