DescriptionAdd and connect an Enterprise Policy for whitelisting
hosts as exempt from Certificate Transparency policy.
This introduces a policy
(CertificateTransparencyEnforcementDisabledForUrls) that
allows exempting certain hostnames from the Certificate
Transparency requirements. Some CAs, such as Symantec and
CNNIC at present, are required to disclose their
certificates via CT in order to have them trusted; any
certificate not disclosed is not trusted.
However, to accomodate some enterprise users who have the
capability to manage Chromium consumers, but cannot
manage other certificate-consuming systems on their
network, and which need certificates from these CAs, and
which claim that they cannot have these hosts disclosed
publicly (e.g. "topsecret.internal.example.com"), this
provides a policy mechanism to allow those hosts to be
exempted from CT requirement.
This is not a blanket policy for general hosts on the
Internet; in general, all certificates from these CAs
must conform, unless the device is enterprise managed.
Whether or not this policy ends up being temporary or not
depends on the IETF and CA community, and whether or not
a suitable technical means of redaction can be devised
which allows redaction (e.g. "?.?.example.com") to be
safely performed. For now and the foreseeable future,
redaction is not viable for Chromium, so the enterprise
policy is offered as an alternative.
BUG=620178
TBR=atwilson@chromium.org
Committed: https://crrev.com/96356f8d5e565b402c85b3a4c4a58d58fb594dbd
Cr-Commit-Position: refs/heads/master@{#403125}
Patch Set 1 #
Total comments: 9
Patch Set 2 : Feedback #Patch Set 3 : with unittests #Patch Set 4 : Rebased & with E2E test #Patch Set 5 : Less dep #Patch Set 6 : Rebased #Patch Set 7 : Combine with https://codereview.chromium.org/2087743002 #
Total comments: 16
Patch Set 8 : Feedback #
Total comments: 18
Patch Set 9 : Rebased to master #Patch Set 10 : Fix gyp #Patch Set 11 : Make Win happy with an auto (size_t vs ssize_t) #Patch Set 12 : Fully shutdown prefs #
Total comments: 2
Patch Set 13 : Fix GYP again #
Total comments: 4
Patch Set 14 : Review feedback & one TODO #Patch Set 15 : compiled wrong target #Patch Set 16 : Comment tweak to remove () #Messages
Total messages: 56 (23 generated)
|