CCADB Update: AllCerts Report Additions
Clint Wilson
TL;DR: The CCADB Steering Committee has updated the “All Certificate Information (root and intermediate) in CCADB” [1] (aka AllCertificateRecordsCSVFormat) report to include two additional columns: “Derived Trust Bits” and “Status of Root Cert”
All,
The CCADB Steering Committee has received two problem statements from CAs regarding the value and reliability of the AllCertificateRecordsCSVFormat report. After discussion and design within the CCADB Steering Committee, an enhancement has been made to the report to address these problem statements.
Status of Root Cert
The first problem [2] identified an issue with accurately assessing the inclusion status of a given Intermediate Certificate in a Root Store using the details provided in the AllCertificateRecordsCSVFormat report. The identified solution was to add a new column which matches the content of the “Status of Root Cert” field in the CCADB. This field combines the status values from the separate Mozilla, Microsoft, Google Chrome, and Apple status fields, representing them as a single concatenated string, e.g. “Apple: Included; Google Chrome: Included; Microsoft: Included; Mozilla: Included”. This field pulls the individual status values from the Root Certificate record, so is the same for all Intermediate Certificate records subordinate to a given Root Certificate record.
The AllCertificateRecordsCSVFormat report includes several separate columns (e.g. ‘Mozilla Status’) that appear similar to the information provided in this new column. These Store-specific columns are used on both Root Certificate and Intermediate Certificate records. The new column pulls from the same information as the Store-specific columns do on Root Certificate records, so in this regard the new column is not net-new information. However, on Intermediate Certificate records this same field does not always match that of its parent Root Certificate record, creating some doubt as to the correct status of Intermediate Certificate records.
[Request] Related to this change, the CCADB Steering Committee would like to understand if there is any extant reliance on the Store-specific “Status” columns. We propose removing those in the future if they are not currently being relied upon.
Derived Trust Bits
The second problem identified is a little more straightforward, in that the current AllCertificateRecordsCSVFormat report does not include details regarding the “trust bits” which the CCADB has determined apply to a given Root or Intermediate Certificate record (represented within the CCADB in the “Derived Trust Bits” field). This information is helpful in determining a variety of expectations about the certificate, such as the applicable audit criteria or information disclosure requirements.
It may be important to note that the CCADB’s “Derived Trust Bits” do not, in all cases, match other similar data sources [3] which leverage this information. In some cases this is because the CCADB incorporates additional context and in other cases because the CCADB lacks additional context. We hope that this additional column will help us all to better understand where and how future improvements to the CCADB should be made.
This updated report has been deployed and is available for use now. If you have any concerns with these updates or encounter any issues, please let us know (preferentially here, but sup...@ccadb.org works too).
Thank you
- Clint, on Behalf of the CCADB Steering Committee
[1] https://www.ccadb.org/resources
Rob Stradling
From: 'Clint Wilson' via CCADB Public
Sent: Wednesday, September 27, 2023 22:59
To: public
Subject: CCADB Update: AllCerts Report Additions
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/F57D6948-3F1A-46F4-9AD7-3763006BC3F8%40apple.com.
Chris Clements
Thank you for your attention to detail. That was not deliberate and has since been resolved.
Thanks again!
-Chris
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/MW4PR17MB47298C505515F7DE6811C2B0AAC1A%40MW4PR17MB4729.namprd17.prod.outlook.com.