Open Bug 1295698 Opened 8 years ago Updated 2 years ago

Tool/Script to check that the CA Community in Salesforce data is in sync with the NSS root store and ExtendedValidation.cpp

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

People

(Reporter: kathleen.a.wilson, Unassigned)

Details

(Whiteboard: [psm-backlog])

Request: Tool/script to check that root cert data in the CA Community in Salesforce is in sync with the NSS root store and ExtendedValidation.cpp. Can be a command-line tool with code kept in github. The Salesforce data is available here: https://wiki.mozilla.org/CA:IncludedCAs CSV Format of Spreadsheet of Included CA Certificates: https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReportCSVFormat The tool/script would compare the data in the IncludedCACertificateReportCSVFormat file with the data in the NSS root store, and list any root certs that are on one and not the other. Output would show the deltas: the Certificate Issuer Organization, Certificate Subject Name, and SHA1 (or SHA256) Fingerprint. The tool/script would also compare the data in the IncludedCACertificateReportCSVFormat file with the contents of the ExtendedValidation.cpp, and list any root certs that are indicated to receive EV treatment in one and not the other. Output would show the deltas: the Certificate Issuer Organization, Certificate Subject Name, and SHA1 (or SHA256) Fingerprint, the EV Policy OID. Thanks, Kathleen
Priority: -- → P3
Whiteboard: [psm-backlog]
Need to build external controls to detect anomalies in the Salesforce database (Common CA Database / CA Community in Salesforce). For example, by comparing the list of trusted roots between NSS and Salesforce and sending notifications to the CA team when differences are spotted. The same could be done for whitelisted/blacklisted intermediate certs.
I think it would make sense to implement this as a periodic job in the TLS Observatory: https://github.com/mozilla/tls-observatory/issues/165

Current Status:

We have a "Data Integrity - certdata.txt" tool that I run in the CCADB on a regular basis, that compares the root cert data in the CCADB with the Beta version of certdata.txt.

We don't yet have the tool for comparing the data in the CCADB with the data in ExtendedValidation.cpp. It's still on our to-do list.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.