Deprecate trust in Symantec certificates |
|||||
Issue descriptionAs stated in https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html , a phased approach to distrusting Symantec certificates will be followed. This can be measured in three implementation phases: 1) Certificates issued after December 1, 2017 from Symantec's legacy infrastructure will not be trusted 2) Certificates issued before June 1, 2016 from Symantec's legacy infrastructure will not be trusted 3) All certificates issued from Symantec's legacy infrastructure will not be trusted. In addition, one other technical constraint is added: 4) All certificates issued from Symantec's/DigiCert's new managed infrastructure must be CT Compliant to be trusted. #1 and #4 cannot be completed until after Dec 1, 2017 - thus, M65. #2 will be landed in M66. #3 will be landed in M70. This bug tracks the implementation progress of the complete distrust.
,
Dec 27 2017
,
Dec 27 2017
,
Mar 19 2018
Where does 1) come from in https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html? That exact inverse seems to be the case? "Site Operators that obtained a certificate from Symantec’s old infrastructure after June 1, 2016 are unaffected by Chrome 66 but will need to obtain a new certificate by the Chrome 70 dates described below."
,
Mar 19 2018
"Additionally, by December 1, 2017, Symantec will transition issuance and operation of publicly-trusted certificates to DigiCert infrastructure, and certificates issued from the old Symantec infrastructure after this date will not be trusted in Chrome."
,
Mar 19 2018
,
Jul 11
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c671bf913c328f7788df5046dd7b81bee3e17a04 commit c671bf913c328f7788df5046dd7b81bee3e17a04 Author: Ryan Sleevi <rsleevi@chromium.org> Date: Wed Jul 11 22:16:22 2018 Support disabling the remainder of the Symantec Legacy PKI Introduce a base::Feature flag that controls how the remainder of the Symantec Legacy PKI - that is, certs issued on/after 2016-06-01 but before 2017-12-01 - are handled. Bug: 796230 Change-Id: Iebe9976ace0dfcdfd02f844fdaf497cf67dde704 Reviewed-on: https://chromium-review.googlesource.com/1134037 Reviewed-by: David Benjamin <davidben@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#574370} [modify] https://crrev.com/c671bf913c328f7788df5046dd7b81bee3e17a04/net/cert/cert_verify_proc.cc [modify] https://crrev.com/c671bf913c328f7788df5046dd7b81bee3e17a04/net/cert/cert_verify_proc.h [modify] https://crrev.com/c671bf913c328f7788df5046dd7b81bee3e17a04/net/cert/cert_verify_proc_unittest.cc
,
Jul 24
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4ea221486494c8e4b46784b52141ba48163a49f4 commit 4ea221486494c8e4b46784b52141ba48163a49f4 Author: Nick Harper <nharper@chromium.org> Date: Tue Jul 24 09:56:16 2018 Replace certificate for multiple OID EV test CertVerifyProcInternalTest.EVVerificationMultipleOID uses a certificate from trustcenter.websecurity.symantec.com, but the test fails with the upcoming Symantec Legacy PKI distrust. This replaces the test certificate with another that has the 2.23.140.1.1 OID before 2.16.840.1.113733.1.7.23.6 in X509v3 Certificate Policies extension. Bug: 705285 , 796230 Change-Id: I0ed5d50d727a712d7c38babdb9ecfdfd30d50cc5 Reviewed-on: https://chromium-review.googlesource.com/1147665 Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#577471} [modify] https://crrev.com/4ea221486494c8e4b46784b52141ba48163a49f4/net/BUILD.gn [modify] https://crrev.com/4ea221486494c8e4b46784b52141ba48163a49f4/net/cert/cert_verify_proc_unittest.cc [modify] https://crrev.com/4ea221486494c8e4b46784b52141ba48163a49f4/net/data/ssl/certificates/README [add] https://crrev.com/4ea221486494c8e4b46784b52141ba48163a49f4/net/data/ssl/certificates/login.trustwave.com.pem [delete] https://crrev.com/c44f810cbe81532a80b76259d267f063a253278f/net/data/ssl/certificates/trustcenter.websecurity.symantec.com.pem
,
Jul 24
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/264209c0622c077caa2378b869e3ce41a9fd3fd2 commit 264209c0622c077caa2378b869e3ce41a9fd3fd2 Author: Nick Harper <nharper@chromium.org> Date: Tue Jul 24 23:28:15 2018 Disable CertVerifyProcMacTest.MacKeychainReordering TBR=mattm@chromium.org Bug: 796230 , 867174 Change-Id: I4ece7e608e597c9455bac468f828bdee91233c16 Reviewed-on: https://chromium-review.googlesource.com/1149197 Reviewed-by: Nick Harper <nharper@chromium.org> Commit-Queue: Nick Harper <nharper@chromium.org> Cr-Commit-Position: refs/heads/master@{#577728} [modify] https://crrev.com/264209c0622c077caa2378b869e3ce41a9fd3fd2/net/cert/cert_verify_proc_mac_unittest.cc
,
Jul 25
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ff77dbed6aa45f0a131a8119ae7317ae19c65706 commit ff77dbed6aa45f0a131a8119ae7317ae19c65706 Author: Ryan Sleevi <rsleevi@chromium.org> Date: Wed Jul 25 01:27:51 2018 Distrust the remainder of the Symantec Legacy PKI As previously communicated, and as documented at at https://g.co/chrome/symantecpkicerts, certificates issued by the Symantec Legacy PKI Infrastructure between 2016-06-01 and 2017-12-01 will no longer be trusted. This changes the default state to remove trust in these certificates. Certificates issued under the DigiCert Managed PKI, or those from previously-identified, independent third-party CAs, are not affected. Bug: 796230 , 805460 Change-Id: I74bdecc9dfdd66dec1a111f9eddb830babfa8222 Reviewed-on: https://chromium-review.googlesource.com/1134209 Commit-Queue: Nick Harper <nharper@chromium.org> Reviewed-by: Nick Harper <nharper@chromium.org> Cr-Commit-Position: refs/heads/master@{#577764} [modify] https://crrev.com/ff77dbed6aa45f0a131a8119ae7317ae19c65706/net/cert/cert_verify_proc.cc
,
Dec 14
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by bugdroid1@chromium.org
, Dec 23 2017