net/data/ssl/symantec/README.md - Issue 2109913004: Require Certificate Transparency for Symantec-operated roots

Side by Side Diff: net/data/ssl/symantec/README.md

Issue 2109913004: Require Certificate Transparency for Symantec-operated roots (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@wire_up_policy

Patch Set: Created 4 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « net/data/ssl/blacklist/README.md ('k') | net/data/ssl/symantec/excluded/17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem » ('j') | net/data/ssl/symantec/roots/9e503738722e0a104cf659ff9f92f0b5b3662acd112d4664d1e7db93abf46a59.pem » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 # Symantec Certificates

	2

	3 This directory contains the set of known active and legacy root certificates

	4 operated by Symantec Corporation. In order for certificates issued from

	5 roots to be trusted, it is required that the certificates be logged using

	6 Certificate Transparency.

	7

	8 For details about why, see <https://security.googleblog.com/2015/10/sustaining-d igital-certificate-security.html>
	eroman 2016/06/29 23:22:21 Here you are using the <...> notation, whereas in Here you are using the <...> notation, whereas in the other files you changed it all to [](), presumably because gitiles doesn't linkdify the angle flavor. Was using angle brackets intentional here? Ryan Sleevi 2016/06/30 00:03:20 Yeah, Markdown syntax (which is why I fixed the bl Show quoted text On 2016/06/29 23:22:21, eroman wrote: > Here you are using the <...> notation, whereas in the other files you changed it > all to [](), presumably because gitiles doesn't linkdify the angle flavor. > > Was using angle brackets intentional here? Yeah, Markdown syntax (which is why I fixed the blacklist) <> shows the URL, while []() shows a description and linkifies
	9

	10 The exception to this is sub-CAs which have been disclosed as independently

	11 operated, whose keys are not in control of Symantec, and which are maintaining

	12 a current and appropriate audit.

	13

	14 ## Roots

	15

	16 The full set of roots are in the [roots/](roots/) directory, organized by SHA-25 6 hash of the certificate file.
	eroman 2016/06/29 23:22:21 nit: The above lines look to be wrapped, whereas t nit: The above lines look to be wrapped, whereas this one is longer.
	17

	18 The following command can be used to match certificates and their key hashes:

	19

	20 `` for f in roots/.pem; do openssl x509 -noout -pubkey -in "${f}" \| openssl asn 1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out \| op enssl dgst -sha256 -c \| awk -F " " '{print $2}' \| sed s/:/,0x/g `; echo "0x${dig est} ${f##/}"; done \| sort ``

	21

	22 ## Excluded Sub-CAs

	23

	24 ### Aetna

	25
	Ryan Sleevi 2016/06/29 22:03:25 Symantec has sent the audit details directly, beca Symantec has sent the audit details directly, because Aetna didn't get a WebTrust seal.
	26 [Certification Practices Statement](http://crl.aetna.com/aetnacps.pdf)

	27 Note: Not issuing new certificates and can be removed after October 2016.

	28

	29 * [d6e4e7b9af3bd5a8f2d6321cde26639c25644f7307ce16aad347d9ad53d3ce13.pem](exclu ded/d6e4e7b9af3bd5a8f2d6321cde26639c25644f7307ce16aad347d9ad53d3ce13.pem)

	30

	31 ### Apple

	32
	Ryan Sleevi 2016/06/29 22:03:25 Yes, the omission of IST 1 and IST 3 are intention Yes, the omission of IST 1 and IST 3 are intentional (I don't know if an IST 1 exists, and it seems the audit didn't cover IST 3 which has never been used)
	33 [WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1917)

	34 [Certification Practices Statement](http://images.apple.com/certificateauthority /pdf/Apple_IST_CPS_v2.0.pdf)

	35

	36 * [17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem](exclu ded/17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem)

	37 * [3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem](exclu ded/3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem)

	38 * [6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem](exclu ded/6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem)

	39 * [904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem](exclu ded/904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem)

	40 * [ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem](exclu ded/ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem)

	41

	42 ### Google

	43

	44 [WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1941)

	45 [Certification Practices Statement](http://static.googleusercontent.com/media/pk i.google.com/en//GIAG2-CPS-1.3.pdf)

	46

	47 * [c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem](exclu ded/c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem)

	48

	49 ### Unicredit

	50
	Ryan Sleevi 2016/06/29 22:03:25 CPS & audit are still forthcoming; this may not ma CPS & audit are still forthcoming; this may not make the final cut.
	51 * [8c31013d19f8eea618c95fda6d21f5777c6e930c7413031559ee863d78dfe809.pem](exclu ded/8c31013d19f8eea618c95fda6d21f5777c6e930c7413031559ee863d78dfe809.pem)

	52

OLD	NEW