Open Bug 1850030 Opened 1 year ago Updated 1 year ago

Update visibility (and possibly behavior) of Store-specific status fields on Intermediate Certificate records

Categories

(CA Program :: Common CA Database, enhancement)

enhancement

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: clint, Unassigned)

Details

Steps to reproduce:

Intermediate Certificate records contain status fields for each Store in the CCADB. These fields are not visible or directly editable on Intermediate Certificate records. Further, there is some logic in place to automatically set these fields. Unfortunately, currently this logic appears to default to setting the status(es) to "Not Included".

An example is https://ccadb.my.site.com/0014o00001lR4X2AAK / https://ccadb.my.salesforce.com/0014o00001lR4X2AAK, which had its "Apple_Status" field updated to "Not Included" on 8/2/2023.

While it's accurate that the Intermediate Certificate is not directly included in the trust store, because its issuer Root Certificate is, it's somewhat confusing to have the two otherwise identical statuses conflict with each other. Further, since this field is included for some Stores in the AllCertificateRecordsCSVFormat report, it causes inconsistencies in parsing and correctly interpreting the report data.

While I'm not strongly tied to any particular method of addressing these issues, I would propose a couple things:

  1. Display the Store-specific field in the Store-specific sections of the Intermediate Certificate record type.
  2. When the parent Root Certificate record has its status changed, sync that change to its Intermediate Certificate records
    -- This could potentially cause issues with cross-certified subordinate CAs, but I think it would actually be fine as this wouldn't affect the Root Certificate record(s) tied to the same keys present in the cross-certified subordinate CAs.
  3. Allow for Stores to set the status on Intermediate Certificate records explicitly, if, for example, a specific Intermediate Certificate is blocked or directly trusted/included by a Store.

I don't think this update is particularly urgent and could certainly be broken up into smaller tasks based on ROI for each.

You need to log in before you can comment on or make changes to this bug.