| Index: net/data/ssl/symantec/README.md
|
| diff --git a/net/data/ssl/symantec/README.md b/net/data/ssl/symantec/README.md
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..963c1a9ab34518f098c1036b8e8b0086e746e1ca
|
| --- /dev/null
|
| +++ b/net/data/ssl/symantec/README.md
|
| @@ -0,0 +1,52 @@
|
| +# Symantec Certificates
|
| +
|
| +This directory contains the set of known active and legacy root certificates
|
| +operated by Symantec Corporation. In order for certificates issued from
|
| +roots to be trusted, it is required that the certificates be logged using
|
| +Certificate Transparency.
|
| +
|
| +For details about why, see <https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html>
|
| +
|
| +The exception to this is sub-CAs which have been disclosed as independently
|
| +operated, whose keys are not in control of Symantec, and which are maintaining
|
| +a current and appropriate audit.
|
| +
|
| +## Roots
|
| +
|
| +The full set of roots are in the [roots/](roots/) directory, organized by SHA-256 hash of the certificate file.
|
| +
|
| +The following command can be used to match certificates and their key hashes:
|
| +
|
| +`` for f in roots/*.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort ``
|
| +
|
| +## Excluded Sub-CAs
|
| +
|
| +### Aetna
|
| +
|
| +[Certification Practices Statement](http://crl.aetna.com/aetnacps.pdf)
|
| +Note: Not issuing new certificates and can be removed after October 2016.
|
| +
|
| + * [d6e4e7b9af3bd5a8f2d6321cde26639c25644f7307ce16aad347d9ad53d3ce13.pem](excluded/d6e4e7b9af3bd5a8f2d6321cde26639c25644f7307ce16aad347d9ad53d3ce13.pem)
|
| +
|
| +### Apple
|
| +
|
| +[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1917)
|
| +[Certification Practices Statement](http://images.apple.com/certificateauthority/pdf/Apple_IST_CPS_v2.0.pdf)
|
| +
|
| + * [17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem](excluded/17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem)
|
| + * [3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem](excluded/3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem)
|
| + * [6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem](excluded/6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem)
|
| + * [904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem](excluded/904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem)
|
| + * [ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem](excluded/ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem)
|
| +
|
| +### Google
|
| +
|
| +[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1941)
|
| +[Certification Practices Statement](http://static.googleusercontent.com/media/pki.google.com/en//GIAG2-CPS-1.3.pdf)
|
| +
|
| + * [c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem](excluded/c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem)
|
| +
|
| +### Unicredit
|
| +
|
| + * [8c31013d19f8eea618c95fda6d21f5777c6e930c7413031559ee863d78dfe809.pem](excluded/8c31013d19f8eea618c95fda6d21f5777c6e930c7413031559ee863d78dfe809.pem)
|
| +
|
|
|
Chromium Code Reviews
Issue 2109913004:
Require Certificate Transparency for Symantec-operated roots (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@wire_up_policy