New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 620178 link

Starred by 12 users
Status: Verified
Owner:
rsleevi@chromium.org
Closed: Aug 2016
Cc:
dchan@chromium.org
tienchang@chromium.org
cbentzel@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug

Blocked on:
issue 620179
issue 621252


Sign in to add a comment

Require CT information for Symantec operated CAs for certificates issued after 1 June 2016

Project Member Reported by rsleevi@chromium.org, Jun 15 2016

Comment 1 by rsleevi@chromium.org, Jun 15 2016

Blockedon: 620179

Comment 2 by rsleevi@chromium.org, Jun 17 2016

Blockedon: 621252

Comment 3 by cbentzel@chromium.org, Jun 21 2016

Cc: cbentzel@chromium.org

Comment 4 by eroman@chromium.org, Jun 21 2016

Components: -Internals>Network>SSL Internals>Network>Certificate
Project Member

Comment 5 by bugdroid1@chromium.org, Jun 30 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/41b3461991dc5869407b9b2f17e086c0801bb522

commit 41b3461991dc5869407b9b2f17e086c0801bb522
Author: rsleevi <rsleevi@chromium.org>
Date: Thu Jun 30 00:18:25 2016

Add error strings for CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED

Add error text for CERT_STATUS_CERTIFICATE_TRANSPARENCY_REQUIRED,
which is triggered when a certificate is required to be disclosed
via Certificate Transparency (either intrinsic to the cert or
because the site is configured to require that for all of its certs)

BUG= 620178 

Review-Url: https://codereview.chromium.org/2083913002
Cr-Commit-Position: refs/heads/master@{#403015}

[modify] https://crrev.com/41b3461991dc5869407b9b2f17e086c0801bb522/components/ssl_errors/error_info.cc
[modify] https://crrev.com/41b3461991dc5869407b9b2f17e086c0801bb522/components/ssl_errors/error_info.h
[modify] https://crrev.com/41b3461991dc5869407b9b2f17e086c0801bb522/components/ssl_errors_strings.grdp
[modify] https://crrev.com/41b3461991dc5869407b9b2f17e086c0801bb522/content/browser/ssl/ssl_policy.cc
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 30 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/96356f8d5e565b402c85b3a4c4a58d58fb594dbd

commit 96356f8d5e565b402c85b3a4c4a58d58fb594dbd
Author: rsleevi <rsleevi@chromium.org>
Date: Thu Jun 30 09:01:20 2016

Add and connect an Enterprise Policy for whitelisting
hosts as exempt from Certificate Transparency policy.

This introduces a policy
(CertificateTransparencyEnforcementDisabledForUrls) that
allows exempting certain hostnames from the Certificate
Transparency requirements. Some CAs, such as Symantec and
CNNIC at present, are required to disclose their
certificates via CT in order to have them trusted; any
certificate not disclosed is not trusted.

However, to accomodate some enterprise users who have the
capability to manage Chromium consumers, but cannot
manage other certificate-consuming systems on their
network, and which need certificates from these CAs, and
which claim that they cannot have these hosts disclosed
publicly (e.g. "topsecret.internal.example.com"), this
provides a policy mechanism to allow those hosts to be
exempted from CT requirement.

This is not a blanket policy for general hosts on the
Internet; in general, all certificates from these CAs
must conform, unless the device is enterprise managed.

Whether or not this policy ends up being temporary or not
depends on the IETF and CA community, and whether or not
a suitable technical means of redaction can be devised
which allows redaction (e.g. "?.?.example.com") to be
safely performed. For now and the foreseeable future,
redaction is not viable for Chromium, so the enterprise
policy is offered as an alternative.

BUG= 620178 
TBR=atwilson@chromium.org

Review-Url: https://codereview.chromium.org/2102783003
Cr-Commit-Position: refs/heads/master@{#403125}

[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/chrome/browser/policy/policy_browsertest.cc
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/chrome/browser/prefs/browser_prefs.cc
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/chrome/browser/profiles/profile_io_data.cc
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/chrome/browser/profiles/profile_io_data.h
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/components/certificate_transparency.gypi
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/components/certificate_transparency/BUILD.gn
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/components/certificate_transparency/DEPS
[add] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/components/certificate_transparency/ct_policy_manager.cc
[add] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/components/certificate_transparency/ct_policy_manager.h
[add] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/components/certificate_transparency/ct_policy_manager_unittest.cc
[add] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/components/certificate_transparency/pref_names.cc
[add] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/components/certificate_transparency/pref_names.h
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/components/components_tests.gyp
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/components/policy/resources/policy_templates.json
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/net/http/transport_security_state.cc
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/net/http/transport_security_state.h
[modify] https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd/tools/metrics/histograms/histograms.xml
Project Member

Comment 7 by bugdroid1@chromium.org, Jun 30 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c77495f99003b06f5e9d6ac750b6ffb0afdb582a

commit c77495f99003b06f5e9d6ac750b6ffb0afdb582a
Author: rsleevi <rsleevi@chromium.org>
Date: Thu Jun 30 23:15:26 2016

Require Certificate Transparency for Symantec-operated roots

In line with
https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html
this CL requires that all Symantec-issued certificates
after 1 June 2016 be CT qualified, as defined by the
Certificate Transparency in Chrome Policy -
https://www.chromium.org/Home/chromium-security/certificate-transparency

Any certificates that are not CT qualified will cause
an interstitial with ERR_CERTIFICATE_TRANSPARENCY_REQUIRED.

BUG= 620178 

Review-Url: https://codereview.chromium.org/2109913004
Cr-Commit-Position: refs/heads/master@{#403328}

[modify] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/blacklist/README.md
[modify] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/certificates/README
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/certificates/post_june_2016.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/certificates/pre_june_2016.pem
[modify] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/scripts/generate-test-certs.sh
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/README.md
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/excluded/17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/excluded/3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/excluded/6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/excluded/8c31013d19f8eea618c95fda6d21f5777c6e930c7413031559ee863d78dfe809.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/excluded/904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/excluded/ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/excluded/c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/excluded/d6e4e7b9af3bd5a8f2d6321cde26639c25644f7307ce16aad347d9ad53d3ce13.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/08297a4047dba23680c731db6e317653ca7848e1bebd3a0b0179a707f92cf178.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/2399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/2930bd09a07126bdc17288d4f2ad84645ec948607907a97b5ed0b0b05879ef69.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/2f274e48aba4ac7b765933101775506dc30ee38ef6acd5c04932cfe041234220.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/309b4a87f6ca56c93169aaa99c6d988854d7892bd5437e2d07b29cbeda55d35d.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/341de98b1392abf7f4ab90a960cf25d4bd6ec65b9a51ce6ed067d00ec7ce9b7f.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/37d51006c512eaab626421f1ec8c92013fc5f82ae98ee533eb4619b8deb4d06c.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/3a43e220fe7f3ea9653d1e21742eac2b75c20fd8980305bc502caf8c2d9b41a1.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/44640a0a0e4d000fbd574d2b8a07bdb4d1dfed3b45baaba76f785778c7011961.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/5edb7ac43b82a06a8761e8d7be4979ebf2611f7dd79bf91c1c6b566a219ed766.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/5f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/69ddd7ea90bb57c93e135dc85ea6fcd5480b603239bdc454fc758b2a26cf7f79.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/83ce3c1229688a593d485f81973c0f9195431eda37cc5e36430e79c7a888638b.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/92a9d9833fe1944db366e8bfae7a95b6480c2d6c6c2a1be65d4236b608fca1bb.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/944554239d91ed9efedcf906d5e8113160b46fc816dc6bdc77b89da29b6562b9.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/9acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/9d190b2e314566685be8a889e27aa8c7d7ae1d8aaddba3c1ecf9d24863cd34b9.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/9e503738722e0a104cf659ff9f92f0b5b3662acd112d4664d1e7db93abf46a59.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/a0234f3bc8527ca5628eec81ad5d69895da5680dc91d1cb8477f33f878b95b0b.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/a0459b9f63b22559f5fa5d4c6db3f9f72ff19342033578f073bf1d1b46cbb912.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/a4b6b3996fc2f306b3fd8681bd63413d8c5009cc4fa329c2ccf0e2fa1b140305.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/b478b812250df878635c2aa7ec7d155eaa625ee82916e2cd294361886cd1fbd4.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/c38dcb38959393358691ea4d4f3ce495ce748996e64ed1891d897a0fc4dd55c6.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/ca2d82a08677072f8ab6764ff035676cfe3e5e325e012172df3f92096db79b85.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/cb627d18b58ad56dde331a30456bc65c601a4e9b18dedcea08e7daaa07815ff0.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/cbb5af185e942a2402f9eacbc0ed5bb876eea3c1223623d00447e4f3ba554b65.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/cf56ff46a4a186109dd96584b5eeb58a510c4275b0e5f94f40bbae865e19f673.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/d17cd8ecd586b712238a482ce46fa5293970742f276d8ab6a9e46ee0288f3355.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/e389360d0fdbaeb3d250584b4730314e222f39c156a020144e8d960561791506.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/e6b8f8766485f807ae7f8dac1670461f07c0a13eef3a1ff717538d7abad391b4.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/eb04cf5eb1f39afa762f2bb120f296cba520c1b97db1589565b81cb9a17b7244.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/ebf3c02a8789b1fb7d511995d663b72906d913ce0d5e10568a8a77e2586167e7.pem
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/data/ssl/symantec/roots/ff856a2d251dcd88d36656f450126798cfabaade40799c722de4d2b5db36a73a.pem
[modify] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/http/transport_security_state.cc
[add] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/http/transport_security_state_ct_policies.inc
[modify] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a/net/net.gypi
Project Member

Comment 8 by bugdroid1@chromium.org, Jul 1 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7

commit bd59b11124c47ae3e62bed05fc46cc924f7bc4b7
Author: rsleevi <rsleevi@chromium.org>
Date: Fri Jul 01 03:24:17 2016

Require CT for the Symantec-operated, Thawte-branded roots (active and retired)

BUG= 620178 

Review-Url: https://codereview.chromium.org/2118723002
Cr-Commit-Position: refs/heads/master@{#403399}

[add] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/data/ssl/symantec/roots/3f9f27d583204b9e09c8a3d2066c4b57d3a2479c3693650880505698105dbce9.pem
[add] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/data/ssl/symantec/roots/4b03f45807ad70f21bfc2cae71c9fde4604c064cf5ffb686bae5dbaad7fdd34c.pem
[add] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/data/ssl/symantec/roots/5b38bd129e83d5a0cad23921089490d50d4aae370428f8ddfffffa4c1564e184.pem
[add] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/data/ssl/symantec/roots/87c678bfb8b25f38f7e97b336956bbcf144bbacaa53647e61a2325bc1055316b.pem
[add] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/data/ssl/symantec/roots/8d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f.pem
[add] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/data/ssl/symantec/roots/a4310d50af18a6447190372a86afaf8b951ffb431d837f1e5688b45971ed1557.pem
[add] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/data/ssl/symantec/roots/cb6b05d9e8e57cd882b10b4db70de4bb1de42ba48a7bd0318b635bf6e7781a9d.pem
[add] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/data/ssl/symantec/roots/cbb02707160f4f77291a27561448691ca5901808e5f36e758449a862aa5272cb.pem
[add] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/data/ssl/symantec/roots/f5074a8f5b9a5b8142f34abe152f60364d770eae75ee3eeceb45b6b996509788.pem
[add] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/data/ssl/symantec/roots/f59db3f45d57fcec94ccd516e6c8ccb20dd4363feb2c44d8656e95f50fdd8df8.pem
[modify] https://crrev.com/bd59b11124c47ae3e62bed05fc46cc924f7bc4b7/net/http/transport_security_state_ct_policies.inc

Comment 9 by rsleevi@chromium.org, Jul 1 2016 

Will need to merge the Thawte roots to the M-53 branch, as well as the few additional pending roots pointed out to me. But will wait for this for next week for the Merge-Request.
Project Member

Comment 10 by sheriffbot@chromium.org, Jul 5 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by rsleevi@chromium.org, Jul 6 2016

Labels: -M-54 -MovedFrom-53 M-53
Project Member

Comment 12 by bugdroid1@chromium.org, Jul 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33b3ff6f1b878e3598f7dca280e72708dc5d7ace

commit 33b3ff6f1b878e3598f7dca280e72708dc5d7ace
Author: rsleevi <rsleevi@chromium.org>
Date: Wed Jul 06 23:23:31 2016

Add additional Symantec roots to the CT requirement

This updates the last set of CT-enforced roots to include the
decomissioned TC TrustCenter roots that Symantec acquired in
July 2010. Although these roots are not supposed to issue
any further certificates (intermediate or sub-CAs), they remain
trusted on OS X, so cover them for comprehensiveness.

This also includes Symantec's G4/G6/G7 CAs, which are either
trusted by Microsoft or pending inclusion.

BUG= 620178 

Review-Url: https://codereview.chromium.org/2122383002
Cr-Commit-Position: refs/heads/master@{#403971}

[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/2834991cf677466d22baac3b0055e5b911d9a9e55f5b85ba02dc566782c30e8a.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/3266967e59cd68008d9dd320811185c704205e8d95fdd84f1c7b311e6704fc32.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/363f3c849eab03b0a2a0f636d7b86d04d3ac7fcfe26a0a9121ab9795f6e176df.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/53dfdfa4e297fcfe07594e8c62d5b8ab06b32c7549f38a163094fd6429d5da43.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/614fd18da1490560cdad1196e2492ab7062eab1a67b3a30f1d0585a7d6ba6824.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/76ef4762e573206006cbc338b17ca4bc200574a11928d90c3ef31c5e803e6c6f.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/8da084fcf99ce07722f89b3205939806fa5cb811e1c813f6a108c7d336b3408e.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/8dbb5a7c06c20ef62dd912a36740992ff6e1e8583d42ede257c3affd7c769399.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/8f9e2751dcd574e9ba90e744ea92581fd0af640ae86ac1ce2198c90f96b44823.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/b32396746453442f353e616292bb20bbaa5d23b546450fdb9c54b8386167d529.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/bb6ce72f0e64bfd93ade14b1becf8c41e7bc927cafb477a3a95878c01aa26c3e.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/bcff2ab03578ebbfb219b65e854cf26a3d8dfe6d1acf3e765b8636827b81eaee.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/c4fa68f8270924c300cbc0d3615a7b88e82231749cf6522452272222c9f0a83e.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/ddcef1660de3b06996507f56168865a20b43cda89cf7e8735a82b83bba00c498.pem
[add] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/data/ssl/symantec/roots/fe863d0822fe7a2353fa484d5924e875656d3dc9fb58771f6f616f9d571bc592.pem
[modify] https://crrev.com/33b3ff6f1b878e3598f7dca280e72708dc5d7ace/net/http/transport_security_state_ct_policies.inc

Comment 14 by robst...@gmail.com, Jul 7 2016 

I understand from [1] that you're excluding the Symantec Sub-CAs "which have been disclosed as independently operated, whose keys are not in control of Symantec, and which are maintaining a current and appropriate audit."

One of those excluded Sub-CAs is "Google Internet Authority G2".  Have you considered omitting this from the excluded Sub-CA list?
i.e. is Google ready to eat its own "Require CT" dogfood?  (If not, it would be fascinating to hear what obstacles remain).

[1] https://chromium.googlesource.com/chromium/src/+/master/net/data/ssl/symantec/README.md

Comment 15 by sleevi@google.com, Jul 7 2016 

Rob, probably not the discussion for this bug, but the short answer is "That's what we said would happen" and "Minimize the number of changes you make at once". Opting out GIAG2 is a go-forward security improvement, while opting Symantec in (and ensuring as limited disruption as possible) is about mitigating existing and known risks.

Comment 16 by pzbo...@gmail.com, Jul 7 2016 

Based on CT logs, a number of the roots listed in this issue have sub-CAs that list non-Symantec organizations in DN.  These include:

Aetna Inc. (*)
Apple Inc. (*)
CertCenter AG
Framework Solutions
Google Inc (*)
Hostpoint AG
Intermediate Certificate
NTT DOCOMO, INC.
STRATO AG
TATI
Trans Sped SRL
TrustAsia Technologies, Inc.
Trust Provider B.V.
UniCredit S.p.A. (*)
Volusion, Inc.

The README only lists those marked with (*).  Are the remaining CAs all Symantec-operated?

Comment 17 by rsleevi@chromium.org, Jul 7 2016 

Yes, that is what is claimed by Symantec.

Comment 18 by scunning...@chromium.org, Jul 8 2016

Cc: dchan@chromium.org tienchang@chromium.org
Components: Enterprise

Comment 19 by pzbo...@gmail.com, Jul 8 2016 

It looks like several certs are missing from the excluded list.  

6de90978910422a89e26f2df85971430c3f44cd1785dad94308f7ca4b6fbe521 and a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed are Apple subordinates.

44336eb05c6c783dc177217a9f6fef75f4524e98045b390803ae9de69eb42b08, 9f630426df1d8abfd80ace98871ba833ab9742cb34838de2b5285ed54c0c7dcc, and a4124fdaf9cac7baee1cab32e3225d746500c09f3cf3ebb253ef3fbb088afd34 are unexpired Google subordinates.

adb034413ad16b538c57f5a0bd103b3504736f99b0c762a53e72fa7a2b5eca46 and fdadfc959cbeeecbdb60711a7143bf9922f3e7c232ff59cb59 are unexpired UniCredit subordinates.

Comment 20 by rsleevi@chromium.org, Jul 8 2016 

These are not missing.

Comment 21 by rsleevi@chromium.org, Jul 18 2016

Labels: Merge-Request-53
TPMs: Looking to merge the commits from Comment 8, Comment 12, and Comment 13 (This expands the scope of CT enforcement to fully cover Symantec)

Comment 22 by dimu@google.com, Jul 18 2016

Labels: -Merge-Request-53 Merge-Review-53 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Comment 23 by gov...@chromium.org, Jul 18 2016 

Before we approve merge to M53, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

Comment 24 by rsleevi@chromium.org, Jul 18 2016 

govind: Yes, I did :) I was waiting on those merge requests per comment #9

Comment 25 by gov...@chromium.org, Jul 18 2016

Labels: -Merge-Review-53 Merge-Approved-53
Thank you. Approving merge for CLs listed at comment #21 to M53 branch 2785 based on comment #24. Please note that we're cutting Desktop M53 Dev RC today @ 6:00 PM PST for dev release tomorrow.
Project Member

Comment 26 by bugdroid1@chromium.org, Jul 20 2016

Labels: -merge-approved-53 merge-merged-2785
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6c96230063fee0fa7d45e8d1799f1733a594f51b

commit 6c96230063fee0fa7d45e8d1799f1733a594f51b
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Wed Jul 20 02:38:23 2016

Require CT for the Symantec-operated, Thawte-branded roots (active and retired)

BUG= 620178 

Review-Url: https://codereview.chromium.org/2118723002
Cr-Commit-Position: refs/heads/master@{#403399}
(cherry picked from commit bd59b11124c47ae3e62bed05fc46cc924f7bc4b7)

Review URL: https://codereview.chromium.org/2163853002 .

Cr-Commit-Position: refs/branch-heads/2785@{#237}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[add] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/data/ssl/symantec/roots/3f9f27d583204b9e09c8a3d2066c4b57d3a2479c3693650880505698105dbce9.pem
[add] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/data/ssl/symantec/roots/4b03f45807ad70f21bfc2cae71c9fde4604c064cf5ffb686bae5dbaad7fdd34c.pem
[add] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/data/ssl/symantec/roots/5b38bd129e83d5a0cad23921089490d50d4aae370428f8ddfffffa4c1564e184.pem
[add] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/data/ssl/symantec/roots/87c678bfb8b25f38f7e97b336956bbcf144bbacaa53647e61a2325bc1055316b.pem
[add] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/data/ssl/symantec/roots/8d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f.pem
[add] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/data/ssl/symantec/roots/a4310d50af18a6447190372a86afaf8b951ffb431d837f1e5688b45971ed1557.pem
[add] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/data/ssl/symantec/roots/cb6b05d9e8e57cd882b10b4db70de4bb1de42ba48a7bd0318b635bf6e7781a9d.pem
[add] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/data/ssl/symantec/roots/cbb02707160f4f77291a27561448691ca5901808e5f36e758449a862aa5272cb.pem
[add] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/data/ssl/symantec/roots/f5074a8f5b9a5b8142f34abe152f60364d770eae75ee3eeceb45b6b996509788.pem
[add] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/data/ssl/symantec/roots/f59db3f45d57fcec94ccd516e6c8ccb20dd4363feb2c44d8656e95f50fdd8df8.pem
[modify] https://crrev.com/6c96230063fee0fa7d45e8d1799f1733a594f51b/net/http/transport_security_state_ct_policies.inc
Project Member

Comment 27 by bugdroid1@chromium.org, Jul 20 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/22bc72a04ae5ab1db182edfb601a96dfb9adeccd

commit 22bc72a04ae5ab1db182edfb601a96dfb9adeccd
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Wed Jul 20 02:46:29 2016

Add additional Symantec roots to the CT requirement

This updates the last set of CT-enforced roots to include the
decomissioned TC TrustCenter roots that Symantec acquired in
July 2010. Although these roots are not supposed to issue
any further certificates (intermediate or sub-CAs), they remain
trusted on OS X, so cover them for comprehensiveness.

This also includes Symantec's G4/G6/G7 CAs, which are either
trusted by Microsoft or pending inclusion.

BUG= 620178 

Review-Url: https://codereview.chromium.org/2122383002
Cr-Commit-Position: refs/heads/master@{#403971}
(cherry picked from commit 33b3ff6f1b878e3598f7dca280e72708dc5d7ace)

Review URL: https://codereview.chromium.org/2164633003 .

Cr-Commit-Position: refs/branch-heads/2785@{#238}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/2834991cf677466d22baac3b0055e5b911d9a9e55f5b85ba02dc566782c30e8a.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/3266967e59cd68008d9dd320811185c704205e8d95fdd84f1c7b311e6704fc32.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/363f3c849eab03b0a2a0f636d7b86d04d3ac7fcfe26a0a9121ab9795f6e176df.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/53dfdfa4e297fcfe07594e8c62d5b8ab06b32c7549f38a163094fd6429d5da43.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/614fd18da1490560cdad1196e2492ab7062eab1a67b3a30f1d0585a7d6ba6824.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/76ef4762e573206006cbc338b17ca4bc200574a11928d90c3ef31c5e803e6c6f.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/8da084fcf99ce07722f89b3205939806fa5cb811e1c813f6a108c7d336b3408e.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/8dbb5a7c06c20ef62dd912a36740992ff6e1e8583d42ede257c3affd7c769399.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/8f9e2751dcd574e9ba90e744ea92581fd0af640ae86ac1ce2198c90f96b44823.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/b32396746453442f353e616292bb20bbaa5d23b546450fdb9c54b8386167d529.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/bb6ce72f0e64bfd93ade14b1becf8c41e7bc927cafb477a3a95878c01aa26c3e.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/bcff2ab03578ebbfb219b65e854cf26a3d8dfe6d1acf3e765b8636827b81eaee.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/c4fa68f8270924c300cbc0d3615a7b88e82231749cf6522452272222c9f0a83e.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/ddcef1660de3b06996507f56168865a20b43cda89cf7e8735a82b83bba00c498.pem
[add] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/data/ssl/symantec/roots/fe863d0822fe7a2353fa484d5924e875656d3dc9fb58771f6f616f9d571bc592.pem
[modify] https://crrev.com/22bc72a04ae5ab1db182edfb601a96dfb9adeccd/net/http/transport_security_state_ct_policies.inc
Project Member

Comment 29 by bugdroid1@chromium.org, Jul 25 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ad93be59f39a73f36fdf6d329b48892a08c3fc36

commit ad93be59f39a73f36fdf6d329b48892a08c3fc36
Author: rsleevi <rsleevi@chromium.org>
Date: Mon Jul 25 22:45:43 2016

Add Apple IST CA 8 to the Symantec exclusion, remove CA3 - G1 and NTT

Symantec originally indicated NTT DoCoMo was indepedently operated,
but subsequent investigation revealed it was part of Symantec's MPKI.
Apple's G3 is only audited to WebTrust for CAs, not SSL BRs, so removing
it from the exclusion set.

This adds Apple's CA 8 to the set, after communicating with Apple's PKI
team to receive confirmation that it was created pursuant to the
audited CP/CPS and is part of the same infrastructure.

BUG= 620178 

Review-Url: https://codereview.chromium.org/2177943004
Cr-Commit-Position: refs/heads/master@{#407618}

[add] https://crrev.com/ad93be59f39a73f36fdf6d329b48892a08c3fc36/net/data/ssl/symantec/excluded/a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed.pem
[modify] https://crrev.com/ad93be59f39a73f36fdf6d329b48892a08c3fc36/net/http/transport_security_state_ct_policies.inc

Comment 30 by rsleevi@chromium.org, Jul 29 2016

Labels: -Hotlist-Merge-review -merge-merged-2785 Merge-Request-53
Setting M-R-53 for comment #29, which hasn't shown any issues since landing.

Comment 31 by dimu@chromium.org, Jul 29 2016

Labels: -Merge-Request-53 Merge-Review-53 Hotlist-Merge-Review
[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Comment 32 by gov...@chromium.org, Jul 29 2016

Labels: -Merge-Review-53 Merge-Approved-53
Approving merge to M53 branch 2785 based on comment #30.
Project Member

Comment 33 by sheriffbot@chromium.org, Jul 30 2016 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 34 Deleted

Comment 35 by gov...@chromium.org, Aug 1 2016 

Please try to merge your change to M53 branch 2785 asap so we can take it for this week beta release on Wednesday. Thank you very much.
Project Member

Comment 36 by bugdroid1@chromium.org, Aug 1 2016

Labels: -merge-approved-53 merge-merged-2785
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8c02f25c5b14ea8f1af8c7acaec58a125601b7a0

commit 8c02f25c5b14ea8f1af8c7acaec58a125601b7a0
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Mon Aug 01 23:07:22 2016

Add Apple IST CA 8 to the Symantec exclusion, remove CA3 - G1 and NTT

Symantec originally indicated NTT DoCoMo was indepedently operated,
but subsequent investigation revealed it was part of Symantec's MPKI.
Apple's G3 is only audited to WebTrust for CAs, not SSL BRs, so removing
it from the exclusion set.

This adds Apple's CA 8 to the set, after communicating with Apple's PKI
team to receive confirmation that it was created pursuant to the
audited CP/CPS and is part of the same infrastructure.

BUG= 620178 

Review-Url: https://codereview.chromium.org/2177943004
Cr-Commit-Position: refs/heads/master@{#407618}
(cherry picked from commit ad93be59f39a73f36fdf6d329b48892a08c3fc36)

Review URL: https://codereview.chromium.org/2198393002 .

Cr-Commit-Position: refs/branch-heads/2785@{#457}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[add] https://crrev.com/8c02f25c5b14ea8f1af8c7acaec58a125601b7a0/net/data/ssl/symantec/excluded/a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed.pem
[modify] https://crrev.com/8c02f25c5b14ea8f1af8c7acaec58a125601b7a0/net/http/transport_security_state_ct_policies.inc

Comment 37 by rsleevi@chromium.org, Aug 29 2016

Status: Verified (was: Started)
Marking this part as Verified for M53.

Sign in to add a comment