To me your option 1 and 3 seems to be a hack on top of a hack, making the API harder to understand and making it more likely for CAs to make implementation errors. You have already made a hack in the API by changing [] into blank. I guess you have done that because you have already used null to mean "don't change the value of this field", and there is no good way to support both "set to blank" and "don't update the field" when the type is a List.
You could implement your option 2 in a backwards compatible way by adding a field with a different name (e.g. JSONArrayofPartitionedCRLsAsString) and then allow at most one of the fields to be set in the request. Den man. 13. mar. 2023 kl. 23.59 skrev Kathleen Wilson <[email protected] >: > Currently the "JSON Array of Partitioned CRLs" field can be set to '[]' to > indicate that the CA is aware that this value needs to be provided as soon > as the intermediate certificate starts to issue certificates. We did this > because leaving the "JSON Array of Partitioned CRLs" field empty indicates > that the CA has not set the value in this field, and this results in an > error that is reported in the CA's Task List when the "Full CRL Issued By > This CA" field is also empty. > > However, there is a problem when the "JSON Array of Partitioned CRLs" > field needs to be set to '[]' via the API. When '[]' is passed into > JSONArrayofPartitionedCRL the CCADB program sees it as an empty string. > > Here are a couple options to resolve this problem. > > Option 1: > Update the CCADB to interpret input from the API > <https://github.com/mozilla/CCADB-Tools/tree/master/API_AddUpdateIntermediateCert> > : > - If FullCRLIssuedByThisCA is provided then JSONArrayofPartitionedCRLs > should be empty. > - If *both* FullCRLIssuedByThisCA and JSONArrayofPartitionedCRLs are > empty (or ‘[]’ which is seen as empty by the CCADB) then set the > JSONArrayofPartitionedCRLs field to ‘[]’. > - If JSONArrayofPartitionedCRLs is null, then no action is taken on the > field. > > Option 2: > Update the API to change JSONArrayofPartitionedCRLs to take a string > instead of a JSON array. > This will be a breaking change for the CAs who are currently using the > API, as they will need to update the data type on their side as well. > > Option 3: > Maybe [" "] or [""] can passed into JSONArrayofPartitionedCRLs? > I'll ask our Salesforce Admin if the CCADB also sees those as empty when > passed in via the API. > > --- > Here are current references on this topic, and I have bolded the text that > is relevant to this discussion. > > Apple's Root Store Policy > <https://www.apple.com/certificateauthority/ca_program.html>: > "Effective October 1, 2022, CA providers must populate the CCADB fields > under "Pertaining to Certificates Issued by This CA" with either the CRL > Distribution Point for the "Full CRL Issued By This CA" or a "JSON Array of > Partitioned CRLs" on Root and Intermediate Certificate records, *within 7 > days of the corresponding CA issuing its first certificate*. This > requirement applies to each included CA Certificate and each CA Certificate > chaining up to an included CA Certificate in the Apple Root Program." > > Mozilla's Root Store Policy > <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/> > : > "CA operators with intermediate CA certificates that are capable of > issuing TLS certificates chaining up to root certificates in Mozilla's root > store SHALL populate the CCADB fields under "Pertaining to Certificates > Issued by This CA" with either the CRL Distribution Point for the "Full CRL > Issued By This CA" or a "JSON Array of Partitioned CRLs" *within 7 days > of such intermediate CA issuing its first certificate*;" > > In the CCADB on intermediate certificate record pages, there is text at > the beginning of the "Pertaining to Certificates Issued by this CA" section > that says: > "One of the following fields must be filled in. *If this intermediate > certificate has not issued any certificates, you may put [] into the 'JSON > Array of Partitioned CRLs' field until it starts issuing certificates.* > The 'Full CRL Issued By This CA' can only contain one URL" > > The README.md for the API > <https://github.com/mozilla/CCADB-Tools/tree/master/API_AddUpdateIntermediateCert> > that is used by CAs to update intermediate certificate data in the CCADB > says: > Class PertainingToCertificatesIssued { > String FullCRLIssuedByThisCA; # can be null or a link > List<string> JSONArrayofPartitionedCRLs # Can be null or a JSON Array > of strings; no action taken on this field when value is null;* when value > is [] the field is reset to empty*; field has 20,000 characters limit > } > > Email from our Salesforce admin: > "The integration program reads 'JSONArrayofPartitionedCRL' into a list of > array. *When the user passes '[]' in the request, the program sees it as > an empty string.* " > > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/ccadb.org/d/msgid/public/a20fa312-08d5-4146-baf3-e1f81137a463n%40ccadb.org > <https://groups.google.com/a/ccadb.org/d/msgid/public/a20fa312-08d5-4146-baf3-e1f81137a463n%40ccadb.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CACAF_WjroXcAOA3TnUik%3DhUont5SPctrSnBkvEZ5qDkdTiv41w%40mail.gmail.com.
