New issue
Advanced search Search tips

Issue 862003 link

Starred by 1 user

Issue metadata

Status: Available
Owner: ----
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task

Blocking:
issue 803774



Sign in to add a comment

Remove kAllowSignedHTTPExchangeCertsWithoutExtension feature flag

Project Member Reported by ksakamoto@chromium.org, Jul 10

Issue description

The kAllowSignedHTTPExchangeCertsWithoutExtension flag (#allow-sxg-certs-without-extension in about:flags) is temporary as currently there's no trusted CA supporting the CanSignHttpExchangesDraft extension.

Remove the flag once certificates with CanSignHttpExchangesDraft extension are available from trusted CAs.
 
Carrying over another comment from a CL:

Today, site developers are able to test signed exchanges by getting a TLS certificate from a trusted CA (hopefully with a different key than their production server) and testing the rest of the packaging flow, such as SCTs and OCSP responses. Without this flag - that is, with strict enforcement of the extension - there's no way to test locally until CAs support this, short of --ignore-cert-errors-spki-list, which would mask SCT and OCSP errors, preventing testing of the very thing it's supposed to be testing.

Sign in to add a comment