New issue
Advanced search Search tips

Issue 838680 link

Starred by 5 users
Status: Verified
Owner:
rsleevi@chromium.org
Closed: May 2018
Cc:
asymmetric@chromium.org
eranm@chromium.org
rsleevi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Chrome , Mac
Pri: 1
Type: Feature



Sign in to add a comment

Enforce the Chromium Certificate Transparency Policy

Project Member Reported by rsleevi@chromium.org, May 1 2018 
As announced October 2016 [1] and then updated [2] in response to CA and site operator feedback, all certificates issued after April 30, 2018 MUST be disclosed compliant with the Certificate Transparency in Chrome policy [3] in order to continue to be trusted. This is a requirement upon CAs to ensure their certificates comply, that their OCSP responder complies (and customers are informed of the necessity to OCSP staple if they obtain certificates from those CAs), or that their customers know that they will not be able to use that CA's certificates without further configuration.

In order to ensure this policy is adhered to, Chrome should enforce these requirements through the technical implementation - rejecting all certificates that are not appropriately disclosed.


[1] https://cabforum.org/pipermail/public/2016-October/008638.html
[2] https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/sz_3W_xKBNY/6jq2ghJXBAAJ
[3] https://goo.gl/chrome/ct-policy
Project Member

Comment 1 by bugdroid1@chromium.org, May 15 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e5574e08d3fb5898a8712862e1aa1a4438fe28f4

commit e5574e08d3fb5898a8712862e1aa1a4438fe28f4
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Tue May 15 04:37:23 2018

Enforce Certificate Transparency for certs issued after April 2018

Certificate Transparency is now required by policy for all new
certificates issued after April 2018 - that is, on or after
2018-05-01 00:00:00 UTC, as measured by the certificate's notBefore.

In order to ensure compliance to this policy, actually enforce it
in code.

This restructures the CTPolicyManager, which originally was a
pimpl'd bridge between the UI and IO threads, into the
ChromeRequireCTDelegate, now that it's solely single threaded and
has a defined interaction. To maintain existing behaviour, one can
enable CT policies without enforcing the April 2018 requirement, or
can enable new cert enforcement as well.

BUG= 838680 

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I939bc2ee6fde58f877a669278c92678153f61fdc
Reviewed-on: https://chromium-review.googlesource.com/1054947
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Eran Messeri <eranm@chromium.org>
Reviewed-by: Mustafa Emre Acer <meacer@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558610}
[modify] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/chrome/browser/ssl/ssl_browsertest.cc
[modify] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/components/certificate_transparency/BUILD.gn
[rename] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/components/certificate_transparency/chrome_require_ct_delegate.cc
[add] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/components/certificate_transparency/chrome_require_ct_delegate.h
[rename] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/components/certificate_transparency/chrome_require_ct_delegate_unittest.cc
[delete] https://crrev.com/d7f1662fbdcd8664dd6ce365784359219888d485/components/certificate_transparency/ct_policy_manager.h
[modify] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/net/data/ssl/certificates/README
[add] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/net/data/ssl/certificates/may_2018.pem
[modify] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/net/data/ssl/scripts/generate-test-certs.sh
[modify] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/services/network/network_context.cc
[modify] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/services/network/network_context.h
[modify] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/services/network/public/mojom/network_context.mojom
[modify] https://crrev.com/e5574e08d3fb5898a8712862e1aa1a4438fe28f4/services/network/url_request_context_builder_mojo.cc

Comment 2 by rsleevi@chromium.org, May 18 2018

Status: Verified (was: Started)

Sign in to add a comment