Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(647)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 2109913004: Require Certificate Transparency for Symantec-operated roots (Closed)

Created:
4 years, 5 months ago by Ryan Sleevi
Modified:
4 years, 5 months ago
Reviewers:
eroman
CC:
chromium-reviews, cbentzel+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@wire_up_policy
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Require Certificate Transparency for Symantec-operated roots In line with https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html this CL requires that all Symantec-issued certificates after 1 June 2016 be CT qualified, as defined by the Certificate Transparency in Chrome Policy - https://www.chromium.org/Home/chromium-security/certificate-transparency Any certificates that are not CT qualified will cause an interstitial with ERR_CERTIFICATE_TRANSPARENCY_REQUIRED. BUG=620178 Committed: https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a Cr-Commit-Position: refs/heads/master@{#403328}

Patch Set 1 #

Total comments: 8

Patch Set 2 : Fix typo #

Total comments: 3

Patch Set 3 : More tests #

Total comments: 1

Patch Set 4 : Review feedback #

Patch Set 5 : Update readme #

Patch Set 6 : Rebased to master #

Patch Set 7 : Update readme & add escape valve #

Patch Set 8 : iOS fix #

Patch Set 9 : NaCL #

Unified diffs Side-by-side diffs Delta from patch set Stats (+3789 lines, -66 lines) Patch
M net/data/ssl/blacklist/README.md View 14 chunks +41 lines, -41 lines 0 comments Download
M net/data/ssl/certificates/README View 1 2 3 4 1 chunk +5 lines, -0 lines 0 comments Download
A net/data/ssl/certificates/post_june_2016.pem View 1 2 1 chunk +82 lines, -0 lines 0 comments Download
A net/data/ssl/certificates/pre_june_2016.pem View 1 2 1 chunk +82 lines, -0 lines 0 comments Download
M net/data/ssl/scripts/generate-test-certs.sh View 1 2 2 chunks +49 lines, -24 lines 0 comments Download
A net/data/ssl/symantec/README.md View 1 2 3 4 5 6 1 chunk +57 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/excluded/17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem View 1 chunk +70 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/excluded/3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem View 1 chunk +96 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/excluded/6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem View 1 chunk +70 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/excluded/8c31013d19f8eea618c95fda6d21f5777c6e930c7413031559ee863d78dfe809.pem View 1 chunk +96 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/excluded/904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem View 1 chunk +99 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/excluded/ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem View 1 chunk +96 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/excluded/c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem View 1 chunk +94 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/excluded/d6e4e7b9af3bd5a8f2d6321cde26639c25644f7307ce16aad347d9ad53d3ce13.pem View 1 chunk +87 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/08297a4047dba23680c731db6e317653ca7848e1bebd3a0b0179a707f92cf178.pem View 1 chunk +71 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/2399561127a57125de8cefea610ddf2fa078b5c8067f4e828290bfb860e84b3c.pem View 1 chunk +87 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/2930bd09a07126bdc17288d4f2ad84645ec948607907a97b5ed0b0b05879ef69.pem View 1 chunk +47 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/2f274e48aba4ac7b765933101775506dc30ee38ef6acd5c04932cfe041234220.pem View 1 chunk +71 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/309b4a87f6ca56c93169aaa99c6d988854d7892bd5437e2d07b29cbeda55d35d.pem View 1 chunk +83 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/341de98b1392abf7f4ab90a960cf25d4bd6ec65b9a51ce6ed067d00ec7ce9b7f.pem View 1 chunk +53 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/37d51006c512eaab626421f1ec8c92013fc5f82ae98ee533eb4619b8deb4d06c.pem View 1 chunk +78 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/3a43e220fe7f3ea9653d1e21742eac2b75c20fd8980305bc502caf8c2d9b41a1.pem View 1 chunk +53 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/44640a0a0e4d000fbd574d2b8a07bdb4d1dfed3b45baaba76f785778c7011961.pem View 1 chunk +53 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/5edb7ac43b82a06a8761e8d7be4979ebf2611f7dd79bf91c1c6b566a219ed766.pem View 1 chunk +54 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/5f0b62eab5e353ea6521651658fbb65359f443280a4afbd104d77d10f9f04c07.pem View 1 chunk +59 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/69ddd7ea90bb57c93e135dc85ea6fcd5480b603239bdc454fc758b2a26cf7f79.pem View 1 chunk +60 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/83ce3c1229688a593d485f81973c0f9195431eda37cc5e36430e79c7a888638b.pem View 1 chunk +53 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/92a9d9833fe1944db366e8bfae7a95b6480c2d6c6c2a1be65d4236b608fca1bb.pem View 1 chunk +74 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/944554239d91ed9efedcf906d5e8113160b46fc816dc6bdc77b89da29b6562b9.pem View 1 chunk +48 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/9acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df.pem View 1 chunk +87 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/9d190b2e314566685be8a889e27aa8c7d7ae1d8aaddba3c1ecf9d24863cd34b9.pem View 1 chunk +81 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/9e503738722e0a104cf659ff9f92f0b5b3662acd112d4664d1e7db93abf46a59.pem View 1 chunk +121 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/a0234f3bc8527ca5628eec81ad5d69895da5680dc91d1cb8477f33f878b95b0b.pem View 1 chunk +121 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/a0459b9f63b22559f5fa5d4c6db3f9f72ff19342033578f073bf1d1b46cbb912.pem View 1 chunk +121 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/a4b6b3996fc2f306b3fd8681bd63413d8c5009cc4fa329c2ccf0e2fa1b140305.pem View 1 chunk +48 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/b478b812250df878635c2aa7ec7d155eaa625ee82916e2cd294361886cd1fbd4.pem View 1 chunk +81 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/c38dcb38959393358691ea4d4f3ce495ce748996e64ed1891d897a0fc4dd55c6.pem View 1 chunk +88 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/ca2d82a08677072f8ab6764ff035676cfe3e5e325e012172df3f92096db79b85.pem View 1 chunk +80 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/cb627d18b58ad56dde331a30456bc65c601a4e9b18dedcea08e7daaa07815ff0.pem View 1 chunk +81 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/cbb5af185e942a2402f9eacbc0ed5bb876eea3c1223623d00447e4f3ba554b65.pem View 1 chunk +74 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/cf56ff46a4a186109dd96584b5eeb58a510c4275b0e5f94f40bbae865e19f673.pem View 1 chunk +59 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/d17cd8ecd586b712238a482ce46fa5293970742f276d8ab6a9e46ee0288f3355.pem View 1 chunk +49 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/e389360d0fdbaeb3d250584b4730314e222f39c156a020144e8d960561791506.pem View 1 chunk +74 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/e6b8f8766485f807ae7f8dac1670461f07c0a13eef3a1ff717538d7abad391b4.pem View 1 chunk +90 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/eb04cf5eb1f39afa762f2bb120f296cba520c1b97db1589565b81cb9a17b7244.pem View 1 chunk +74 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/ebf3c02a8789b1fb7d511995d663b72906d913ce0d5e10568a8a77e2586167e7.pem View 1 chunk +83 lines, -0 lines 0 comments Download
A net/data/ssl/symantec/roots/ff856a2d251dcd88d36656f450126798cfabaade40799c722de4d2b5db36a73a.pem View 1 chunk +77 lines, -0 lines 0 comments Download
M net/http/transport_security_state.cc View 1 2 3 4 5 6 7 8 4 chunks +80 lines, -1 line 0 comments Download
A net/http/transport_security_state_ct_policies.inc View 1 chunk +182 lines, -0 lines 0 comments Download
M net/http/transport_security_state_unittest.cc View 1 2 3 4 5 6 2 chunks +68 lines, -0 lines 0 comments Download
M net/net.gypi View 1 2 3 4 5 6 7 1 chunk +2 lines, -0 lines 0 comments Download

Messages

Total messages: 24 (10 generated)
Ryan Sleevi
https://codereview.chromium.org/2109913004/diff/1/net/data/ssl/symantec/README.md File net/data/ssl/symantec/README.md (right): https://codereview.chromium.org/2109913004/diff/1/net/data/ssl/symantec/README.md#newcode25 net/data/ssl/symantec/README.md:25: Symantec has sent the audit details directly, because Aetna ...
4 years, 5 months ago (2016-06-29 22:03:25 UTC) #1
Ryan Sleevi
Order of recommended reading: - transport_security_state.cc changes to review the implementation - The /symantec/README.md file ...
4 years, 5 months ago (2016-06-29 22:14:16 UTC) #3
eroman
lgtm https://codereview.chromium.org/2109913004/diff/1/net/data/ssl/symantec/README.md File net/data/ssl/symantec/README.md (right): https://codereview.chromium.org/2109913004/diff/1/net/data/ssl/symantec/README.md#newcode8 net/data/ssl/symantec/README.md:8: For details about why, see <https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html> Here you ...
4 years, 5 months ago (2016-06-29 23:22:22 UTC) #4
Ryan Sleevi
https://codereview.chromium.org/2109913004/diff/1/net/data/ssl/symantec/README.md File net/data/ssl/symantec/README.md (right): https://codereview.chromium.org/2109913004/diff/1/net/data/ssl/symantec/README.md#newcode8 net/data/ssl/symantec/README.md:8: For details about why, see <https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html> On 2016/06/29 23:22:21, ...
4 years, 5 months ago (2016-06-30 00:03:21 UTC) #5
commit-bot: I haz the power
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2109913004/100001
4 years, 5 months ago (2016-06-30 19:30:27 UTC) #7
commit-bot: I haz the power
Dry run: Try jobs failed on following builders: ios-simulator-gn on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator-gn/builds/29908)
4 years, 5 months ago (2016-06-30 20:28:47 UTC) #9
commit-bot: I haz the power
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2109913004/140001
4 years, 5 months ago (2016-06-30 21:02:32 UTC) #11
commit-bot: I haz the power
Dry run: Try jobs failed on following builders: linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_chromeos_ozone_rel_ng/builds/195126)
4 years, 5 months ago (2016-06-30 21:40:06 UTC) #13
commit-bot: I haz the power
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2109913004/160001
4 years, 5 months ago (2016-06-30 21:54:35 UTC) #15
commit-bot: I haz the power
Dry run: This issue passed the CQ dry run.
4 years, 5 months ago (2016-06-30 23:05:18 UTC) #17
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2109913004/160001
4 years, 5 months ago (2016-06-30 23:07:47 UTC) #20
commit-bot: I haz the power
Committed patchset #9 (id:160001)
4 years, 5 months ago (2016-06-30 23:15:40 UTC) #21
commit-bot: I haz the power
CQ bit was unchecked.
4 years, 5 months ago (2016-06-30 23:15:54 UTC) #22
commit-bot: I haz the power
4 years, 5 months ago (2016-06-30 23:17:29 UTC) #24
Message was sent while issue was closed. 
Patchset 9 (id:??) landed as
https://crrev.com/c77495f99003b06f5e9d6ac750b6ffb0afdb582a
Cr-Commit-Position: refs/heads/master@{#403328}

Powered by Google App Engine
This is Rietveld 408576698