Closed Bug 1711782 Opened 4 years ago Closed 4 years ago

Have CCADB perform checks about applicable audits before sending the data to ALV

Categories

(CA Program :: Common CA Database, task)

Product:
CA Program
Component:
Common CA Database
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: poonam)

References

(Blocks 1 open bug)

Details

In both Audit Cases and Root Inclusion Cases, CAs sometimes forget to indicate all of the applicable audits for the root certificates. So please have CCADB compare the selected audits against the settings for the root stores that each root is in, and display a warning if there is inconsistency.

Here's the logic, on a per root case basis:

  • Standard Audit should be selected
  • If Mozilla Trust Bits contains Websites or Microsoft Trust Bits contains Server Authentication or Apple Trust Bits contains TLS-Server, then BR audit should be selected.
  • If Mozilla EV Policy OID(s) starts with a number or Microsoft Trust Bits EV SSL is true or Apple EV TLS Enabled is true, then EV SSL audit should be selected.
  • If Microsoft Trust Bits contains Code Signing, then Code Signing audit should be selected.
  • If Microsoft Trust Bits EV Code Signing is true, then EV Code Signing audit should be selected.

Note: This depends on Bug #1711597 and on Microsoft updating their new Microsoft Trust Bits EV SSL field, and CCADB being updated to copy the correct fields to the Audit Root Case.

The main message to the user should be:
Please go back and verify that all of the appropriate audit statements have been selected for each root certificate by using the 'Add/Update Root Cases' button.

And add more information about which root certificates are missing what in smaller font below the main message. Or at the minimum display the logic.

There should be two buttons: Go Back, Proceed Anyways
(because sometimes CAs really do only want to update one audit statement)

Whiteboard: [ccadb-enhancement]
Assignee: nobody → poonam
Status: NEW → ASSIGNED

Hi Kathleen,

The ALV process has been modified to prescreen the data before sending the request to ALV. You can check case #00001499 to see the warning message when ALV button is selected. I will move the changes to production, after you have verified process in sandbox. Thank you.

Regards,
Poonam

Priority: P2 → P1

I think this logic will have to be updated based on Bug #1711597, so let's wait until that bug is completed and then make sure this logic is using the updated fields.

Blocks: 1723018

This change went into CCADB production on August 5.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Priority: P1 → --
Whiteboard: [ccadb-enhancement]
Blocks: 1810898
No longer blocks: 1723018
You need to log in before you can comment on or make changes to this bug.