Open Bug 1727205 Opened 9 months ago Updated 9 months ago

Adding fields for clarifying CA and subCA ownership details

Categories

(NSS :: Common CA Database, task, P2)

Tracking

(Not tracked)

People

(Reporter: kwilson, Unassigned)

Details

(Whiteboard: [ccadb-enhancement])

Consider if adding fields and policy would help with the suggestion in section 5 of https://www.usenix.org/system/files/sec21-ma.pdf

"CCADB provides mutability to CA certificates.
Because the frequency of CA certificate control changes out-
paces the frequency of CA certificate replacement, current CA
certificates must divorce their names (stored in the certificate)
from their identity (stored outside of the certificate). CCADB
is a natural location to track who controls each CA root and
intermediate certificate. While in some cases we can infer
certificate control from CCADB record owners and uploaded
audits, the data is not easily accessible. Adding explicit fields
for ownership details would allow both root store operators
and researchers to better track CA behavior"

"User agents can
also enforce more stringent CCADB inclusion policies to
help remove trust dependencies on CAs that have refused to
submit details to CCADB."

Whiteboard: [ccadb-enhancement]

After this is implemented, file a bug to request that the browser interface be updated to take the CCADB data into account when displaying the "Verified By" information under the lock icon.

See https://www.usenix.org/system/files/sec21-ma.pdf section 5, "Reconsider Root CA Labels"

You need to log in before you can comment on or make changes to this bug.