New issue
Advanced search Search tips

Issue 793851 link

Starred by 2 users
Status: Untriaged
Owner: ----
Cc:
emaxx@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Feature request: Allow access to managed certificate from all extensions

Reported by graham.g...@airbnb.com, Dec 11 2017 
UserAgent: Mozilla/5.0 (X11; CrOS x86_64 9901.77.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.97 Safari/537.36

Steps to reproduce the problem:
At present, extensions must be force installed to use our certificates. We have several extensions that will connect to internal resources that we do not want to force install - we want to allow the user to remove them if they wish.

What is the expected behavior?
The ability to mark certificates as being able to be used by all (or a whitelist) of extensions. 

What went wrong?
Extensions need to be force installed before they have access to our certs.

Did this work before? N/A 

Chrome version: 62.0.3202.97  Channel: stable
OS Version: 9901.77.0
Flash Version:

Comment 1 by emaxx@chromium.org, Dec 15 2017

Cc: emaxx@chromium.org
Labels: Enterprise-Triaged
Opening up access to "corporate" keys to all extensions (without any control from the admin's side) sounds insecure - a malicious extension would gain unrestricted ability to sign data using the key, which would effectively mean the key becomes shared with third parties (they can use it for impersonating the client in TLS, etc.).

As for the per-extension choice - isn't this existing already today? The "Allow access to client certificates and keys" checkbox in the Admin Console can be set even without the "Force installation" checkbox, and it should grant the given extension access to the "corporate" keys.

Comment 2 by graham.g...@airbnb.com, Jan 3 2018 

Agreed about the security risk. The option to allow this is there, but it appears to not function (at least with the extension I am attempting this with - I am unsure whether this is a result of the extension or the feature not working). I will write a small extension to verify one way or the other.

Comment 3 by jingwee@chromium.org, May 11 2018

Status: Untriaged (was: Unconfirmed)

Sign in to add a comment