Issue 732427 link

Starred by 4 users

Issue metadata

Status:	Verified
Owner:	rsleevi@chromium.org
Closed:	Sep 2017
Cc:	eranm@chromium.org eroman@chromium.org asymmetric@chromium.org
Components:	Internals>Network>Certificate Internals>Network>EV
EstimatedDays:	----
NextAction:	----
OS:	Linux , Windows , Chrome , Mac
Pri:	2
Type:	Bug
M-61

Remove EV Certs Whitelist

Project Member Reported by rsleevi@chromium.org, Jun 12 2017

Issue description

The EV Certs Whitelist was introduced to handle the transition to requiring CT for EV certificates in 2015/01/01. It contained a whitelist of those publicly-disclosed EV certificates issued prior to that date, and which should maintain their EV status.

As an EV certificate is only valid for 27 months, by virtue of the EV Guidelines, we're now past the point where all valid EV certificates have expired. This means that the code - and the component - can be safely and fully removed.

Comment 1 by eranm@chromium.org, Jun 12 2017

You may want to refer to the following bugs that are related to the EV whitelist:
https://bugs.chromium.org/p/chromium/issues/detail?id=425174
https://bugs.chromium.org/p/chromium/issues/detail?id=457949
https://bugs.chromium.org/p/chromium/issues/detail?id=514676
https://bugs.chromium.org/p/chromium/issues/detail?id=524635
https://bugs.chromium.org/p/chromium/issues/detail?id=559460

Project Member

Comment 2 by bugdroid1@chromium.org, Jun 14 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1

commit cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1
Author: rsleevi <rsleevi@chromium.org>
Date: Wed Jun 14 10:18:26 2017

Remove the EV Certs Whitelist

Introduced as part of the 2015/01/01 requirement that all EV
certificates should be accompanied by Certificate Transparency
information, the EVCertWhitelist contained the set of publicly
logged EV certificates issued prior to that date, to ensure they
maintained their EV status.

As an EV certificate is only valid for 27 months, the whitelist has
been shrinking over time, with the most recent update trimming it to
around 100 certificates.

However, as 27 months have passed since 2015/01/01, the whitelist is
no longer needed, and as such, the entire supporting infrastructure is
also no longer needed.

This rewinds the code by:
  - Removing the EVCertsWhitelist from //net
  - Removing the distinct EV CT policy from CTPolicyEnforcer
  - Unwinding the EV CT status from the CTVerifyResult and SSLInfo
  - Removing the specific Golomb-coded compressed CT EV whitelist logic
  - Removing the Component Updater version of the EV whitelist
  - Removing all metrics related to the EV whitelist

BUG= 732427 
TBR=lcwu@chromium.org,sergeyu@chromium.org,isherman@chromium.org

Review-Url: https://codereview.chromium.org/2937563002
Cr-Commit-Position: refs/heads/master@{#479343}

[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/WATCHLISTS
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/chrome/browser/BUILD.gn
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/chrome/browser/chrome_browser_main.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/chrome/browser/chromeos/login/session/user_session_manager.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/chrome/browser/component_updater/DEPS
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/chrome/browser/component_updater/ev_whitelist_component_installer.cc
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/chrome/browser/component_updater/ev_whitelist_component_installer.h
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/chromecast/browser/url_request_context_factory.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/components/BUILD.gn
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/components/packed_ct_ev_whitelist/BUILD.gn
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/components/packed_ct_ev_whitelist/DEPS
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/components/packed_ct_ev_whitelist/OWNERS
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/components/packed_ct_ev_whitelist/bit_stream_reader.cc
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/components/packed_ct_ev_whitelist/bit_stream_reader.h
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/components/packed_ct_ev_whitelist/bit_stream_reader_unittest.cc
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/components/packed_ct_ev_whitelist/packed_ct_ev_whitelist.cc
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/components/packed_ct_ev_whitelist/packed_ct_ev_whitelist.h
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/components/packed_ct_ev_whitelist/packed_ct_ev_whitelist_unittest.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/content/common/common_param_traits_unittest.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/content/common/resource_messages.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/content/common/resource_messages.h
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/content/shell/browser/shell_url_request_context_getter.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/BUILD.gn
[delete] https://crrev.com/7fa075e8c7635e26f35041b62cd34da83c575e72/net/cert/ct_ev_whitelist.h
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/cert/ct_policy_enforcer.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/cert/ct_policy_enforcer.h
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/cert/ct_policy_enforcer_unittest.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/cert/ct_policy_status.h
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/cert/ct_verify_result.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/cert/ct_verify_result.h
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/quic/chromium/crypto/proof_verifier_chromium.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/quic/chromium/crypto/proof_verifier_chromium_test.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/socket/ssl_server_socket_unittest.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/spdy/chromium/spdy_test_util_common.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/ssl/ssl_config_service.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/ssl/ssl_config_service.h
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/ssl/ssl_info.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/ssl/ssl_info.h
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/net/url_request/url_request_unittest.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/remoting/protocol/ssl_hmac_channel_authenticator.cc
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/tools/metrics/histograms/enums.xml
[modify] https://crrev.com/cd7390ed559bc7101d0c29b2bc2e5b71b01c8eb1/tools/metrics/histograms/histograms.xml

Comment 3 by rsleevi@chromium.org, Sep 1 2017

Status: Verified (was: Assigned)

►

Issue 732427 link

Issue metadata

Remove EV Certs Whitelist

Issue description

Comment 1 by eranm@chromium.org, Jun 12 2017

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Jun 14 2017

Comment 2 Deleted

Comment 3 by rsleevi@chromium.org, Sep 1 2017

Comment 3 Deleted

Sign in to add a comment