Open Bug 1744333 Opened 6 months ago

Redesign the way that CCADB handles audits for new intermediate certificates

Categories

(NSS :: Common CA Database, task)

Tracking

(Not tracked)

People

(Reporter: kwilson, Unassigned)

Details

(Whiteboard: [ccadb-roadmap] TBD)

CAs are required to provide audit statement URLs for all intermediate certificates, or check the "Audits Same as Parent" box.

If the CA has a currently valid audit report at the time of creation of the intermediate certificate, then the new certificate must appear on the CA's next periodic audit reports. So when CAs add the new intermediate certificate to the CCADB, they also have to provide the current audit statements for the audits that the certificate will be in during the next audit cycle. This can be misleading, because the certificate isn't in the audit statements that cover an audit period before the creation of the certificate.

The primary concern here is about externally-operated intermediate CAs that can get away without having their own audit statements for up to a year, if the CA incorrectly indicates audit statements for which the certificate will be in.

Will need to carefully consider how to distinguish between new intermediate certs that should be in the CA's next regular audit statements versus new intermediate certs that need their own audit statements.

There is logic in several places in the CCADB including task lists and reports that will be impacted when this gets redesigned.

You need to log in before you can comment on or make changes to this bug.