Closed Bug 1794862 Opened 3 years ago Closed 3 years ago

Add instructions text to top of "Pertaining to Certificates Issued by this CA" section on intermediate certificates

Categories

(CA Program :: Common CA Database, task)

Product:
CA Program
Component:
Common CA Database
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: clint, Unassigned)

Details

Steps to reproduce:

An interaction with some member Store policies, which requires CAs to populate "Pertaining to Certificates Issued by This CA" sections for their CA records, is that only CAs which have issued a certificate need to have this section populated.
This data point, of whether a given CA has issued any certificates, would be helpful to have in the CCADB in order to help improve the comprehensive accuracy of reports and task list items (by allowing such reports to filter out CAs which are marked as having never issued any certificates).
This could likely be a "simple" boolean/checkbox field, like "CA is Active" with help text along the lines of "This box should be checked if the CA has issued any certificates. If checked, the "Pertaining to Certificates Issued by This CA" section is expected to be populated by some CCADB Store policies."

CAs have started to put empty JSON Arrays "[]" or "[""]" for their intermediate certificates that are not yet issuing.

Rather than adding another field, would it be sufficient to add the following text to the top of the "Pertaining to Certificates Issued by this CA" for intermediate certs?

One of the following fields must be filled in. If this intermediate certificate has not issued any certificates, you may put [] into the 'JSON Array of Partitioned CRLs' field until it starts issuing certificates. If the intermediate certificate is expired or revoked, you may put one of the words "expired" or "revoked" into the 'Full CRL Issued By This CA' field.

Severity: -- → S1
Type: enhancement → task
tracking-firefox106: --- → ?
tracking-firefox107: --- → ?
Flags: needinfo?(clintw)
Priority: -- → P1
Whiteboard: [ccadb-enhancement]

Yeah absolutely. I think any consistent "signal" that informs the understanding that the CA is aware of, and complying with, the policy, but that no CRLs are issued/required, would meet the intent of this request; using "[]" in the JSON array, seems to fit to me and is quite logical, and if we encounter confusion from CAs or other use-cases for identifying "active" CAs, we can always revisit in the future.

Summary: Add field to Intermediate Certificate records for CAs to indicate whether it has issued any certificates → Add instructions text to top of "Pertaining to Certificates Issued by this CA" section on intermediate certificates

I have added instructions text in "Pertaining to Certificates Issued by this CA" section for all intermediate pages. If you want to see the text in italics or different font/color, please let me know.

Thanks!

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Severity: S1 → --
Priority: P1 → --
Whiteboard: [ccadb-enhancement]
Flags: needinfo?(clintw)
You need to log in before you can comment on or make changes to this bug.