Open Bug 1793457 Opened 2 years ago Updated 1 year ago

Visibility of new Root Certificate information in "CA Providing Data" Cases

Categories

(CA Program :: Common CA Database, task)

Product:
CA Program
Component:
Common CA Database
Type:
task

Tracking

(Not tracked)

People

(Reporter: rob, Unassigned)

Details

When preparing to submit a new Root Certificate in an "Add/Update Root Request" Case, the Root Certificate record currently will become visible immediately (e.g., in public CSV reports), even though the Case is still in the "CA Providing Data" state. However, other information relating to that Root Certificate in the same Case remains "hidden" (e.g., CP/CPS and Audit details, CRL disclosures, Test Website URLs) whilst the Case is in the "CA Providing Data" state.

ISTM that all of the information in a Case that relates to a new Root Certificate should either (1) remain "hidden" until the Case has been processed by a Root Store Owner or (2) be immediately visible everywhere.

Since information in a "CA Providing Data" Case has not yet been verified by a Root Store Owner, perhaps option (1) makes most sense?

Hi Rob, thank you for reporting this. I have a couple questions for you:

  1. Do you think this should be classified as a bug or an enhancement request?

  2. How urgent do you think it is to change this behavior?

Notes:

  • This is the behavior that Root Inclusion Cases have always had.
  • As long as the information is all there, our hope is to process the "Add/Update Root Request" cases within a week or two of them being submitted for review.

Hi Kathleen.

For 1, do you (and the other Root Store Owners) think it's a problem that the root certificate records become visible outside the confines of the Case before a Root Store Owner has reviewed and approved the Case? If you think it's a problem, then this is a bug; but if you don't think it's a problem, then this is an enhancement request.

This behaviour took me by surprise, and it's causing some false positives in https://crt.sh/mozilla-disclosures and https://crt.sh/apple-disclosures for Sectigo at the moment, but I don't think it's particularly urgent to change it.

Thanks, Rob.

The CCADB SC discussed this and determined that it is an enhancement request that we would like to implement after we finish our current work on re-designing Root Inclusion Request cases.

We would like to add a field to root certificate records that encompasses 3 use cases:

  1. Incomplete -- The Case in which the Root Certificate is being added is not yet closed.
  2. Obsolete -- Rather than deleting, use this flag as "ignorable" but allow the data to persist in the CCADB.
  3. Rejected - Not accepted into any participating root store that the CA applied to.
Severity: -- → S3
Priority: -- → P1
Whiteboard: [ccadb-enhancement]

Thanks Kathleen.

Perhaps you've already got this covered by other existing fields, but ISTM that there are at least 2 further use cases to consider:
4. Pending - This Root Certificate has been added to the CCADB (i.e., the "Add/Update Root Request" Case is Closed), but either (i) no corresponding "CA Root Inclusion Request" Case(s) have been created yet, or (ii) the corresponding "CA Root Inclusion Request" Cases(s) are still Open.
5. Included - At least one root store has included this Root Certificate.

What do you think?

SGTM. The CCADB SC will discuss this again when it bubbles back up to the top of our to-do list. Thanks!

Product: NSS → CA Program
Severity: S3 → --
Priority: P1 → --
Whiteboard: [ccadb-enhancement]
You need to log in before you can comment on or make changes to this bug.