CCADB Update: Enhance Derived Trust Bit and Extended Validation logic and add transitive trust status for intermediate records
247 views
Skip to first unread message
Chris Clements
May 23, 2025, 10:17:32 AMMay 23
to public
All,
On May 29, 2025, the CCADB will be updated, introducing changes to the Derived Trust Bit (DTB) and Extended Validation (EV) logic and adding transitive trust status for intermediate certificate records.
The CCADB will be unavailable to CA Owners from May 29, 2025, at approximately 08:00PM PDT, until May 30, 2025, at approximately 08:00PM PDT.
The new functionality should:
- Add new auto-populated fields for root and intermediate certificates and enhance the logic for determining DTBs and EV-enablement. [1815933]
- Better inform CA Owners of missing audit reports or unintended EV treatment (via updated logic) for their certificates in the CA Task List reports.
- Enhance Audit Letter Validation (ALV) by sending `Trust Bits for Root Cert & DTBs` from the CCADB to ALV for root certificates. The additional values sent will be visible to CA Owners in the ‘Add/Update Root Request’ Case UI in a new column called `Additional DTBs` on the AUDITS tab.
- Better align the CCADB trust bits and EV enablement with the trust properties conveyed by crt.sh.
- Improve the determination and communication of Root Store trust status for all intermediate certificate records and certificates sharing the same Subject+SPKI, displaying trust information (e.g., `Trusted` or `Not Trusted`) for each Root Store, while considering program-specific evaluations. [1967751]
- Change the "Certificate Data [Fields NOT editable; extracted from PEM]" page layout header to two distinct headers to better differentiate certificate PEM data from CCADB-generated data.
- Update the AllCertificateRecordsCSVFormatv2 report to add two new fields to the end of the file: `Trust Bits for Root Cert` and `EV OIDs for Root Cert`.
- Deprecate `Code` (i.e., code signing) from the Mozilla set of Trust Bits because it is no longer processed by Mozilla.
- Add more EKU OID mappings to the CCADB. [1796686]
The AUDITS user guide, Understanding AllCertificateRecordsReport.csv document, and several pages on ccadb.org will be updated to reflect the changes from this enhancement in more detail.
Notifications regarding the start and completion of this release will be sent by the CCADB to all participating CA Owners next week. We also plan to provide an update here next week at the release's conclusion.
Thank you
-Chris, on behalf of the CCADB Steering Committee
Chris Clements
May 30, 2025, 3:03:33 PMMay 30
to public
All,
The CCADB update to enhance the Derived Trust Bit (DTB) and Extended Validation (EV) logic and add transitive trust status for intermediate certificate records is now complete. CA Owner access to the CCADB has been restored.
This update:
The CCADB update to enhance the Derived Trust Bit (DTB) and Extended Validation (EV) logic and add transitive trust status for intermediate certificate records is now complete. CA Owner access to the CCADB has been restored.
This update:
- Adds new auto-populated fields for root and intermediate certificates and enhance the logic for determining DTBs and EV-enablement. [1815933]
- Better informs CA Owners of missing audit reports or unintended EV treatment (via updated logic) for their certificates in the CA Task List reports.
- Enhances Audit Letter Validation (ALV) by sending `Trust Bits for Root Cert & DTBs` from the CCADB to ALV for root certificates. The additional values sent will be visible to CA Owners in the ‘Add/Update Root Request’ Case UI in a new column called `Additional DTBs` on the AUDITS tab.
- Better aligns the CCADB trust bits and EV enablement with the trust properties conveyed by crt.sh.
- Improves the determination and communication of Root Store trust status for all intermediate certificate records and certificates sharing the same Subject+SPKI, displaying trust information (e.g., `Trusted` or `Not Trusted`) for each Root Store, while considering program-specific evaluations. [1967751]
- Changes the "Certificate Data [Fields NOT editable; extracted from PEM]" page layout header to two distinct headers to better differentiate certificate PEM data from CCADB-generated data.
- Updates the AllCertificateRecordsCSVFormatv2 report to add two new fields to the end of the file: `Trust Bits for Root Cert` and `EV OIDs for Root Cert`.
- Deprecates `Code` (i.e., code signing) from the Mozilla set of Trust Bits because it is no longer processed by Mozilla.
- Adds more EKU OID mappings to the CCADB. [1796686]
The AUDITS user guide, Understanding AllCertificateRecordsReport.csv document, and several pages on ccadb.org will be updated to reflect the changes from this enhancement in more detail.
Please continue to contact CCADB Support (sup...@ccadb.org) with any questions regarding the CCADB.
Thank you
-Chris, on behalf of the CCADB Steering Committee
Reply all
Reply to author
Forward
0 new messages