New issue
Advanced search Search tips

Issue 824184 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Enterprise Policy for Issuing CA Exemption for CT

Project Member Reported by rsleevi@chromium.org, Mar 21 2018

Issue description

As captured in the discussion and summary at https://groups.google.com/a/chromium.org/d/msg/ct-policy/_YJiQNyuNAk/X9mLva7GBQAJ , express an additional Enterprise Policy for carving out CT exemptions, based on the Issuer SPKI hash.

Currently (pre-Chrome 67), the policy available is CertificateTransparencyEnforcementDisabledForUrls , which allows excluding by domain names, but has restrictions on the form of that expression (such as disallowing blanket wildcards)

Based on that discussion, the proposal is to allow an exception to be expressed based on SPKI. To avoid risk from both coercion and misissuance, this policy should be such that in order for this policy to apply, an intermediate within the certificate chain MUST identify the organization (that is, an O within the Distinguished Name), validated according to the CA/Browser Forum requirements, and that the leaf certificate being verified should similarly have that.

There's some complexity in just doing a byte-for-byte O identifier - a more proper expression is one that adheres to the BRs' notion of Subject Organization Identity (see BRs 7.1.4.2.1)
 
Project Member

Comment 1 by bugdroid1@chromium.org, Apr 5 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3dabe0bae39821e11a75064c6a4a299287310769

commit 3dabe0bae39821e11a75064c6a4a299287310769
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Thu Apr 05 03:59:01 2018

Introduce additional Certificate Transparency preferences

This adds two new preferences for controlling Certificate Transparency
configuration, intended for use within an Enterprise. In a follow-up,
these will be wired up to Enterprise Policies for enterprise-wide
configuration.

- certificate_transparency.excluded_spkis

  For organizations that are issuing organizationally-bound certificates
  (either OV or EV), they can disable Certificate Transparency for their
  organization by specifying SPKI hashes. Certificate Transparency will be
  disabled if the validated certificate chain contains one of these SPKI
  hashes, and the certificate associated with the SPKI hash meets one of the
  following conditions:

  1) The hash matches the leaf cert's SPKI
  2) The hash matches a CA certificate that has a nameConstraints extension
     with a permittedSubtrees tree, which contains one or more directoryName
     nameConstraints, and there is a directoryName nameConstraint that
     restricts the O field and the leaf cert also has one or more O fields
     in the Subject.
  3) The hash matches a CA certificate, and the CA certificate has one or
     more O fields in the Subject, and these are equal to the Leaf cert in
     ordering, value, and number of values.

- certificate_transparency.excluded_legacy_spkis

  For organizations which are relying on trust anchors that have been removed
  by default by newer versions of the trust store, but were present in older
  versions (and thus subjected to CT requirements), they can disable
  Certificate Transparency for certificates under these CAs by specifying the
  SPKI hash. The SPKI hash must be one which appears in
  //net/data/ssl/root_stores and must not be presently trusted on Android or
  Chrom[e/ium]OS.

Bug:  824184 
Change-Id: I0098bf7c28ac5201f9ba0f171f55a43a7fe3e073
Reviewed-on: https://chromium-review.googlesource.com/987513
Commit-Queue: Doug Turner <dougt@chromium.org>
Reviewed-by: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#548318}
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/chrome/browser/ssl/ssl_browsertest.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/components/certificate_transparency/ct_policy_manager.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/components/certificate_transparency/ct_policy_manager_unittest.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/components/certificate_transparency/pref_names.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/components/certificate_transparency/pref_names.h
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/BUILD.gn
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/cert/internal/name_constraints.h
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/cert/known_roots.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/cert/known_roots.h
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/cert/root_cert_list_generated.h
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/cert/x509_util.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/cert/x509_util.h
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/gencerts/__init__.py
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/gencerts/openssl_conf.py
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/README.md
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/generate-certs.py
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/int-bmp-o1.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/int-cn.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/int-o1-o2.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/int-o1-plus-o2.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/int-o2-o1.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/int-o3.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/keys/i.key
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/keys/leaf.key
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/keys/root.key
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/leaf-no-o.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/leaf-o1-o2.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/leaf-o1.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/nc-int-exclude-o1.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/nc-int-permit-bmp-o1.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/nc-int-permit-cn.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/nc-int-permit-dns.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/nc-int-permit-o1.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/nc-int-permit-o2-o1-o3.pem
[add] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ov_name_constraints/root.pem
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/data/ssl/root_stores/update_root_stores.py
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/http/transport_security_state.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/http/transport_security_state.h
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/quic/chromium/crypto/proof_verifier_chromium_test.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/spdy/chromium/spdy_session_unittest.cc
[modify] https://crrev.com/3dabe0bae39821e11a75064c6a4a299287310769/net/tools/update_ios_bundle_data.py

Project Member

Comment 2 by bugdroid1@chromium.org, Apr 6 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c8889d0e8f2e63eff73ee6b7b10b56b45b3fe356

commit c8889d0e8f2e63eff73ee6b7b10b56b45b3fe356
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Fri Apr 06 17:57:05 2018

Glue up additional Certificate Transparency Enterprise Policies

https://crrev.com/548318 introduced two additional preferences for
controlling Certificate Transparency disabling, and this glues up
these preferences to Enterprise Policies - specifically,
CertificateTransparencyEnforcementDisabledForCas and
CertificateTransparencyEnforcementDisabledForLegacyCas

BUG= 824184 

Change-Id: I06338e82c8280db21f1b48e9455074d020f51f83
Reviewed-on: https://chromium-review.googlesource.com/998546
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Bartosz Fabianowski <bartfab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#548852}
[modify] https://crrev.com/c8889d0e8f2e63eff73ee6b7b10b56b45b3fe356/chrome/browser/policy/configuration_policy_handler_list_factory.cc
[modify] https://crrev.com/c8889d0e8f2e63eff73ee6b7b10b56b45b3fe356/chrome/browser/policy/policy_browsertest.cc
[modify] https://crrev.com/c8889d0e8f2e63eff73ee6b7b10b56b45b3fe356/chrome/test/data/policy/policy_test_cases.json
[modify] https://crrev.com/c8889d0e8f2e63eff73ee6b7b10b56b45b3fe356/components/policy/resources/policy_templates.json
[modify] https://crrev.com/c8889d0e8f2e63eff73ee6b7b10b56b45b3fe356/tools/metrics/histograms/enums.xml

Labels: M-67
Status: Verified (was: Assigned)

Sign in to add a comment