New issue
Advanced search Search tips

Issue 827170 link

Starred by 2 users
Status: Verified
Owner:
rsleevi@chromium.org
Closed: Mar 2018
Cc:
est...@chromium.org
eranm@chromium.org
asymmetric@chromium.org
rsleevi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Expect-CT should respect Enterprise Policies disabling CT

Project Member Reported by rsleevi@chromium.org, Mar 29 2018 
Expect-CT is a header set by a server that enables it to indicate it expects compliance to CT policies.

DisableCertificateTransparencyEnforcementForUrls is an Enterprise Policy that allows disabling CT enforcement for specific URLs.

Currently, the behaviour is that Expect-CT being set overrides the Enterprise Policies, by virtue of a short-circuit. That is, if Expect-CT is set to FAIL, and Enterprise Policy is set to DONT_FAIL, then the result is FAIL, but the expected result is DONT_FAIL. If the Enterprise Policy is set to DEFAULT or FAIL, the expected result is FAIL (Expect-CT applying).

Comment 1 by rsleevi@chromium.org, Mar 29 2018 

estark: So I can understand not doing client enforcement, but should we send a report anyways?

Comment 2 by est...@chromium.org, Mar 29 2018 

I think sending a report is reasonable -- it could still be useful to the server operator even though enforcement is disabled.
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 29 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/01e94e1c9684b8c8ad19ca67c0f0b41c2fa64517

commit 01e94e1c9684b8c8ad19ca67c0f0b41c2fa64517
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Thu Mar 29 22:39:20 2018

Ensure Expect-CT enforcement respects enterprise policies

Previously, Expect-CT would enable hard-fail enforcement of
CT for a domain, even if an Enterprise had disabled such
enforcement (via DisableCertificateTransparencyEnforcementForUrls).

Now, Enterprise Policies can be used to disable Expect-CT
enforcement for domains, which aligns with the priority of
constituencies and helps reduce any friction towards enabling
Expect-CT for split-DNS scenarios.

BUG= 827170 

Change-Id: I7b5cb3891d5726d3755f6d9e15f87050ebec6c7b
Reviewed-on: https://chromium-review.googlesource.com/986553
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Emily Stark <estark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#546992}
[modify] https://crrev.com/01e94e1c9684b8c8ad19ca67c0f0b41c2fa64517/net/http/transport_security_state.cc
[modify] https://crrev.com/01e94e1c9684b8c8ad19ca67c0f0b41c2fa64517/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/01e94e1c9684b8c8ad19ca67c0f0b41c2fa64517/net/socket/ssl_client_socket_unittest.cc

Comment 4 by rsleevi@chromium.org, Mar 30 2018

Labels: M-67
Status: Verified (was: Started)

Sign in to add a comment