Closed Bug 1813263 Opened 2 years ago Closed 2 years ago

Add Triggers to clear out trust bit and EV flags when root certs are removed from a root store

Categories

(CA Program :: Common CA Database, task)

Product:
CA Program
Component:
Common CA Database
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: poonam)

Details

Please add the following triggers to root certificates in the CCADB.

  1. When Apple status is changed to anything other than Included, set "Apple Trust Bits" to empty, "Apple EV TLS Enabled" to False, and "Apple EV TLS Policy OID(s)" to empty.

  2. When Google Chrome Status is set to anything other than Included or Change Requested, set "Google Chrome EV Enabled" to False.

  3. When Mozilla Status is set to anything other than Included or Change Requested, set "Mozilla Trust Bits" to empty, "Mozilla EV Policy OID(s)" to empty, and "ExtendedValidation.cpp OIDs" to empty.

tracking-firefox110: ? → ---
tracking-firefox111: ? → ---

Clint and Chris, Please confirm that the description in this bug describes the correct changes for your sections.

Confirmed. This description is correct for Chrome.

Confirmed, "When Apple status is changed from Included to anything other than Included, set "Apple Trust Bits" to empty, "Apple EV TLS Enabled" to False, and "Apple EV TLS Policy OID(s)" to empty." is the correct change for Apple.

I have tested these changes in Sandbox. Looks good to me.

Code changes have been deployed in production and the existing root certificate records has been updated to match the trigger logic.

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Severity: S1 → --
Priority: P1 → --
Whiteboard: [ccadb-enhancement]
You need to log in before you can comment on or make changes to this bug.