CCADB Update: "Add/Update Root Request” Case type

156 views
Skip to first unread message

Kathleen Wilson

unread,
Sep 13, 2022, 9:00:31 PM9/13/22
to dev-secur...@mozilla.org

All,

The CCADB is being updated to introduce a new Case type called “Add/Update Root Request”, which will replace the existing “CA Audit Update Request” and “CA Information Update Request (Non-Audit)” Case types.

Please do not modify data in the CCADB during this update.

There will be an "Under Construction" message on the CCADB home page, and I will post another update here when the changes have been completed and verified.

In the  "Add/Update Root Request" case we are also:

1.  Adding a way for CAs to use this new case type to have new root certificate records created in the CCADB

2. Adding a tab called "ROOT INFORMATION", where CAs can provide key generation reports and information about the intended CA hierarchy.

3. Updating Root Certificate records to add more fields.

4. Updating Intermediate Certificate records to remap EKU to Derived Trust Bits.

Our next project will be to revamp the workflow and UI for Root Inclusion Cases. The idea being that a CA will use the "Add/Update Root Request" case type to add records for their new root certificates, and maintain the corresponding policy documents and audit statements there. Separately, the CA can then create the requests for root stores to include those root certificates. This new workflow should:

+ Be much easier for CAs to use 

+ Enable CAs to request inclusion in multiple root stores without having to provide the data multiple times

+ Reduce duplication of data in the CCADB, which currently results in outdated information in Cases – the root inclusion case (which can be open for multiple years) will refer to (not copy) the data in the CA Owner and relevant Root Certificate records.

Thanks,

Kathleen

Rob Stradling

unread,
Sep 15, 2022, 9:07:01 AM9/15/22
to Kathleen Wilson, dev-secur...@mozilla.org
> Please do not modify data in the CCADB during this update.
> There will be an "Under Construction" message on the CCADB home page, and I will post another update here when the changes have been completed and verified.

Hi Kathleen.  Do you know when these changes are expected to be completed and verified?

The "Under Construction" message is still on the CCADB home page and your message was posted well over 24 hours ago.  "Please do not modify data in the CCADB during this update" is problematic, because https://www.ccadb.org/policy#4-intermediate-certificates requires CAs to modify certain data in the CCADB "within 24 hours for a security incident".  

I don't have a security incident to declare, but I do need to add some new intermediate certificates that were issued earlier today "within 7 days".

From: dev-secur...@mozilla.org <dev-secur...@mozilla.org> on behalf of Kathleen Wilson <kwi...@mozilla.com>
Sent: 14 September 2022 02:00
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: CCADB Update: "Add/Update Root Request” Case type
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7c1fd293-2197-4382-8e10-472d7d3e4222n%40mozilla.org.

Ben Wilson

unread,
Sep 15, 2022, 11:24:37 AM9/15/22
to Rob Stradling, Kathleen Wilson, dev-secur...@mozilla.org
Hi Rob,
I'm doing acceptance testing on the changes, and then we should be good to go.  Give me a couple of hours.
Thanks,
Ben

Kathleen Wilson

unread,
Sep 15, 2022, 6:52:57 PM9/15/22
to dev-secur...@mozilla.org, Ben Wilson, r...@sectigo.com
All,

We have completed the update, CCADB is no longer read-only, and the message on the CCADB home page will be updated very soon.

I will be sending the following email to CAs:

--
Dear Certification Authority Operator,

The CCADB has been updated to introduce a new case type called “Add/Update Root Request” that has replaced the previous “Audit Update Request” and “Information Update Request (Non-Audit)” case types. The new case type can be used to provide updates to CA Owner and Root Certificate records, update policy documents, update audit statements, and add root certificate records to the CCADB.

Instructions with screenshots showing how to use the new case type may be found here:

ccadb.org -> For CAs -> Updating Audit Statements, Data, and Policy Documents

https://www.ccadb.org/cas/updates

Best regards,
CCADB Support
--

I have provided additional information about this update in the CCADB Release Notes.

Thanks,
Kathleen

Reply all
Reply to author
Forward
0 new messages