Open Bug 1727204 Opened 3 years ago Updated 2 years ago

Add automated checks of Subordinate CA Owner names on intermediate certificates

Categories

(CA Program :: Common CA Database, task)

Tracking

(Not tracked)

People

(Reporter: kathleen.a.wilson, Unassigned)

Details

Automate checking and alerting for when the Subordinate CA Owner in an intermediate certificate does not match the Owner name for its doppelgänger (same Subject + SPKI) certificates.

See https://www.usenix.org/system/files/sec21-ma.pdf

  • section 4.2.Clerical error: e-tugra vs E-Tugra, Quo Vadis vs QuoVadis
  • section 4.4: "CCADB could add an automated notification or require a sub-CA label when a single SSPKI maps to certificates with multiple CCADB owners."
Whiteboard: [ccadb-enhancement]

Some of the CAs have resolved the items listed above, but this bug is about an enhancement request for the CCADB. So I will keep this bug open until we implement the enhancement request. (will use the examples for testing in Sandbox, even if the CA already resolved their CCADB records)

Product: NSS → CA Program
Priority: P2 → --
Whiteboard: [ccadb-enhancement]
You need to log in before you can comment on or make changes to this bug.