Closed Bug 1739306 Opened 2 years ago Closed 2 years ago

Problem reporting mechanism list is incomplete

Categories

(CA Program :: Common CA Database, task, P1)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: hanno, Assigned: poonam)

References

Details

(Whiteboard: [ccadb-bug])

I believe there is something wrong with the CCADB problem reporting mechanism list:
https://ccadb-public.secure.force.com/ccadb/AllProblemReportingMechanismsReport

This contains 52 entries, which is suspiciously short. Also major CAs (Sectigo, Digicert, Godaddy) are not listed. Likely there's some bug that prevents the majority of CAs from being displayed (?).

Hanno,

I believe that was driven from the November 2017 CA Survey - Results Direct Link

Neither the CCADB Policy nor the Mozilla Root Store Policy presently requires CAs keep the problem reporting mechanism within CCADB accurate, as far as I know. https://github.com/mozilla/pkipolicy/issues/98 was, as far as I can recall, the last issue to touch this.

Instead, the Baseline Requirements were modified in Ballot SC6, as part of Version 1.6.1, to require that the CA disclose via their CP/CPS in Section 1.5.2. CAs are required to keep their CP/CPS disclosures in CCADB as accurate.

So if you're looking to contact a CA, the canonical, audited, BR-compliant mechanism is examining the CP/CPS report. The CCADB is supplementary, and no obligation presently exists to keeping it updated.

Does that address your use case? I think it's worth asking whether it's appropriate to remove that report, unless Mozilla plans to require CCADB also reflect the problem reporting mechanism. This mainly influences the https://crt.sh integration, but that's something Rob can always change/remove.

IINM, https://ccadb-public.secure.force.com/ccadb/AllProblemReportingMechanismsReport currently only pulls in details from subordinate CA CCADB records that specify their own Problem Reporting Mechanism details. The Problem Reporting Mechanism details in CA Owner records are not included in this report.

crt.sh currently pulls in the Problem Reporting Mechanism details for CA Owners from https://ccadb-public.secure.force.com/mozilla/CAInformationReportCSVFormat and propagates these to subordinate CAs, but crt.sh doesn't currently supplement these details with https://ccadb-public.secure.force.com/ccadb/AllProblemReportingMechanismsReport. I should probably fix that.

Kathleen, is AllProblemReportingMechanismsReport working as intended? Or do you think it should be changed somehow to also include the Problem Reporting Mechanism details for CA Owners?

Flags: needinfo?(kwilson)
Flags: needinfo?(kwilson)
Priority: -- → P1
Whiteboard: [ccadb-bug]

Thank you for bringing this to my attention.

Apical Apps has corrected the code by querying the database separately for CA Owner and Intermediate Certs as follows:

SELECT CA Owner records where
WHERE Mozilla Status In ('Included','Change Requested') OR Microsoft_Status In ('Included','Change Requested'))
AND Problem_Reporting_Mechanism != Blank

SELECT Intermediate Cert records where
WHERE Revocation_Status Not In ('Revoked')
AND Valid_To_GMT >= Today
AND Problem_Reporting_Mechanism != Blank

Both results are combined into one list to generate the report.

We will also be updating https://ccadb-public.secure.force.com/mozilla/ProblemReportingMechanismsReport to be similar, but only take Mozilla status into account. (also it currently does not filter out expired and revoked)

Assignee: nobody → poonam
Status: NEW → ASSIGNED

Keeping this bug open, so we can add checks for Apple status as well for CA Owner, and check for intermediate certs that chain up to a root included in one of the programs.

Depends on: 1740773

Hi Kathleen,

Both reports have been updated (AllProblemReportingMechanismsReport & ProblemReportingMechanismsReport) in production.

AllProblemReportingMechanismsReport:
Reports on Problem Reporting Mechanism field which is on CA Owner and Intermediate Certs for Mozilla & Microsoft programs. It does not included expired and revoked certs. The Intermediate certs are included in report only if they chain up to an included root in either Microsoft's or Mozilla's program.

ProblemReportingMechanismsReport:
Reports on Problem Reporting Mechanism field which is on CA Owner and Intermediate Certs for Mozilla program. It includes expired and revoked certs. The Intermediate certs are included in report only if they chain up to an included root in Mozilla's program.

Regards,
Poonam

(In reply to Poonam Bhargava from comment #5)

AllProblemReportingMechanismsReport:
Reports on Problem Reporting Mechanism field which is on CA Owner and Intermediate Certs for Mozilla & Microsoft programs. It does not included expired and revoked certs. The Intermediate certs are included in report only if they chain up to an included root in either Microsoft's or Mozilla's program.

Looks good.
Please also sort the table by the "CA Owner / Intermediate Certificate Name" column

ProblemReportingMechanismsReport:
Reports on Problem Reporting Mechanism field which is on CA Owner and Intermediate Certs for Mozilla program. It includes expired and revoked certs. The Intermediate certs are included in report only if they chain up to an included root in Mozilla's program.

The "mozilla/ProblemReportingMechanismsReport" should be identical to the "AllProblemReportingMechanismsReport" except for two things:

  1. CA Owners should only be included in the report if they are in Mozilla's program.
  2. Intermediate certs are included in report only if they chain up to an included root in Mozilla's program.

Thanks,
Kathleen

Hi Kathleen,

"AllProblemReportingMechanismsReport" report is sorted on "CA Owner / Intermediate Certificate Name". Sorting is case sensitive, so you'll see certs beginning with upper case will appear at the top and then the lower case.

Mozilla specific report "ProblemReportingMechanismsReport" now includes the correct filters (#1 & #2 in comment #6).

Both reports also have a row of "Instructions", describing the filters.

Regards,
Poonam

Both reports look good now.

Please update the text at the top of ccadb/AllProblemReportingMechanismsReport to:
This report lists the Problem Reporting Mechanisms for CA Owners and intermediate certificates that are not revoked and not expired. This report is filtered according to the CA Owners that are included in Microsoft's or Mozilla's programs, and the intermediate certificates that chain up to root certificates that are included in Microsoft's or Mozilla's programs.

And update the text at the top of mozilla/ProblemReportingMechanismsReport to:
This report lists the Problem Reporting Mechanisms for CA Owners and intermediate certificates that are not revoked and not expired. This report is filtered according to the CA Owners that are included in Mozilla's program and the intermediate certificates that chain up to root certificates that are included in Mozilla's program.

Updated the text on both reports.

Thanks!

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.