On 8/8/19 9:03 AM, Ryan Sleevi wrote:
On Wed, Aug 7, 2019 at 6:28 PM Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
I have been working towards extending Audit Letter Validation (ALV) to
intermediate certificate records in the CCADB. This is involving some
changes.
....
I will appreciate input on how to make that more clear.
Ryan, thank you for your input.
All, The following changes have been made to the CCADB. Your input is
still welcome.
1) Changed the help text on intermediate cert pages for ‘Subordinate CA
Owner' to:
"Enter Subordinate CA’s name as it appears in the provided audit
statements. Leave blank if BOTH control of the private key AND
domain/IP/email validation activities are performed by the organization
listed in the audit statement of the parent certificate."
Notes:
Help text can be up to 255 characters.
ALV only accepts one CA Name (or in this case Subordinate CA Name) to
look for in the provided audit statements
2) Added item/section/instructions to CA Task List on Homepage:
Item:
"Intermediate Certs missing Subordinate CA Owner or Auditor Info: 10"
Corresponding section if non-zero:
"Provide missing Subordinate CA Owner or Auditor Info for these
Intermediate Certs"
Instructions:
When an intermediate certificate record in the CCADB corresponds to a
certificate which has an audit for the operational and issuance
activities that names an organization different than the organization
named in the audit statement of the parent record in CCADB, then fill in
the 'Subordinate CA Owner' field to indicate the name of the
organization as it appears in the intermediate certificate's operational
audit. Also fill in the Auditor name as it appears in the audit statements.
Note: This new Task List item currently filters out intermediate certs
that are revoked, expired, technically-constrained, or don't chain up to
a root in Mozilla's program.
3) Added ‘Subordinate CA Owner’ column to the public facing reports
IntermediateCertsSeparateAudits and IntermediateCertsSeparateAuditsCSV
and changed the heading of the existing 'CA Owner' column to 'Parent CA
Owner'.
https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAudits
https://ccadb-public.secure.force.com/mozilla/IntermediateCertsSeparateAuditsCSV
CAs, I will greatly appreciate it if you will use the new Task List item
on your homepage in the CCADB to provide 'Subordinate CA Owner' and
'Auditor' for each intermediate certificate that has their own audit
statements.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
