New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 805460 link

Starred by 9 users

Issue metadata

Status: Started
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug

Blocked on:
issue 881930

Blocking:
issue 796230
issue 797765



Sign in to add a comment

Distrust Symantec Certificates issued from the Legacy Symantec Infrastructure

Project Member Reported by rsleevi@chromium.org, Jan 24 2018

Issue description

As stated in https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html , a phased approach to distrusting Symantec certificates will be followed.

In M70, all certificates issued from Symantec's legacy infrastructure - that is, those not issued by the independently operated sub-CAs or Managed Partner Infrastructure - will be distrusted.
 
Blocking: 797765
Labels: Target-70
Blocking: 796230
Friendly ping to get an update on this issue.
Thanks..!
Project Member

Comment 5 by bugdroid1@chromium.org, Jul 25

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ff77dbed6aa45f0a131a8119ae7317ae19c65706

commit ff77dbed6aa45f0a131a8119ae7317ae19c65706
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Wed Jul 25 01:27:51 2018

Distrust the remainder of the Symantec Legacy PKI

As previously communicated, and as documented at at
https://g.co/chrome/symantecpkicerts, certificates issued
by the Symantec Legacy PKI Infrastructure between
2016-06-01 and 2017-12-01 will no longer be trusted. This
changes the default state to remove trust in these
certificates. Certificates issued under the DigiCert
Managed PKI, or those from previously-identified,
independent third-party CAs, are not affected.

Bug:  796230 , 805460
Change-Id: I74bdecc9dfdd66dec1a111f9eddb830babfa8222
Reviewed-on: https://chromium-review.googlesource.com/1134209
Commit-Queue: Nick Harper <nharper@chromium.org>
Reviewed-by: Nick Harper <nharper@chromium.org>
Cr-Commit-Position: refs/heads/master@{#577764}
[modify] https://crrev.com/ff77dbed6aa45f0a131a8119ae7317ae19c65706/net/cert/cert_verify_proc.cc

Issue 869201 has been merged into this issue.
Please check & update the issue status as per C#5
Thanks..!
Friendly ping to get an update on this issue as it is marked as RBB.
Thanks..!
There's nothing needed from the QA/Test side. This is a tracking bug that we're working with TPMs on :)

Comment 10 Deleted

Gentle ping to get an update on this issue as it is marked as RBB.
Thanks..!
@rsleevi: Friendly ping! Could you please provide any update on this issue as it has been marked as a beta blocker.

Thank You!
Cc: asymmetric@chromium.org
I thougth Comment #9 captured this? We're working with TPMs to monitor.
Friendly ping to get an update on this issue as it is marked as RBB.
Thanks..!
Cc: awhalley@chromium.org abdulsyed@chromium.org
Status: Started (was: Assigned)
Note that this bug is ReleaseBlock-Beta and still open as it requires a merge to make it into the first M70 beta, but not any other channel. We'll coordinate with M70 desktop release TPM (abdulsyed@).
Labels: Merge-Request-70
To be clear what's being Merge-Request'd - https://chromium-review.googlesource.com/c/chromium/src/+/1205710
Labels: -Merge-Request-70 Merge-Approved-70
Approved - branch:3538
Project Member

Comment 20 by bugdroid1@chromium.org, Sep 5

Labels: -merge-approved-70 merge-merged-3538
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/12e0dae7c92f4b24532fb2862dc394079cdd5977

commit 12e0dae7c92f4b24532fb2862dc394079cdd5977
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Wed Sep 05 19:19:41 2018

Use Finch to control Legacy Symantec Distrust on Beta

For M70 Beta+, use Finch to control whether or not the
Symantec Legacy PKI is trusted. This results in some
unpredictability for the First-Run experience, but
provides greater flexibility and ensures users can
"phone home" to get Finch updates if necessary.

Bug: 805460
Change-Id: I0cc07e3e473fa53b9b17f177db77aea75477b4e7
Reviewed-on: https://chromium-review.googlesource.com/1205710
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Andrew Whalley <awhalley@google.com>
Cr-Commit-Position: refs/branch-heads/3538@{#63}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/12e0dae7c92f4b24532fb2862dc394079cdd5977/net/cert/cert_verify_proc.cc

Blockedon: 881930
Labels: -ReleaseBlock-Beta
Removing release block beta label now.

Sign in to add a comment