Closed Bug 1756007 Opened 3 years ago Closed 3 years ago

Separate logic for Derived Trust Bits and EV SSL Capable from ALV logic

Categories

(CA Program :: Common CA Database, task)

Product:
CA Program
Component:
Common CA Database
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: poonam)

References

Details

Move the logic for "Derived Trust Bits" and "EV SSL Capable" into separate routines that can be called by an hourly batch job. (out of the ALV logic and ALV batch job)

Update the ALV batch job to run once per day, but 15 minutes after the "Derived Trust Bits" and "EV SSL Capable" processes run.

Summary: Update Derived Trust Bits, EV SSL Capable, and Parent ID fields via hourly batch job → Separate logic for Derived Trust Bits and EV SSL Capable from ALV logic

The logic for Derived Trust Bits and EV SSL Capable have been separated from ALV button and batch job.

In the new logic a trigger method will launch an asynchronous process to calculate Derived Trust Bits and EV SSL Capable when following conditions are met:

  1. A new intermediate cert is added OR
  2. Amy of the below key fields are modified on intermediate certs or root certificate
    Derived_Trust_Bits
    EV_SSL_Capable
    Mozilla_Trust_Bit
    Microsoft_Trust_Bit
    Mozilla_Status
    Microsoft_Status
    Apple_Status
    Apple_Trust_Bits
    Extended_Key_Usage
    Revocation_Status
    Valid_To_GMT
    Subject_SPKI_SHA256
    ParentId
    Policy_Identifiers
    ExtendedValidation_cpp_OIDs
    Microsoft_EV_SSL_Enabled
    Apple_EV_Enabled

A separate batch program will check for expired intermediate cert (Valid To > Today). This needs to be scheduled shortly after midnight to makes the DTS and EV SSL Capable fields blank and sets the Pre field with the original DTS value.

Do we need to include "Apple EV TLS Enabled" & "Apple EV TLS Policy OID(s)" to calculate EV SSL Capable? If yes, what values we need to check for OIDs?

These changes are only in the sandbox.

Do we need to include "Apple EV TLS Enabled" & "Apple EV TLS Policy OID(s)" to calculate EV SSL Capable? If yes, what values we need to check for OIDs?

Only "Apple EV TLS Enabled" -- do not need to also check "Apple EV TLS Policy OID(s)" to calculate EV SSL Capable

Tested in Sandbox. Ready to move to production.

ALV processing and recalculation of Derived Trust Bits/EV SSL Capable fields logic has been separated and the new programs have been deployed in production. A one-time script was used to update the data in for existing intermediate cert records.

The new logic uses "Apple EV TLS Enabled" to calculate "EV SSL Capable".

Thanks!

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Priority: P1 → --
Whiteboard: [ccadb-enhancement]
You need to log in before you can comment on or make changes to this bug.