Chromium Code Reviews Chromium Code Reviews
Issue 2239963002:
Add enterprise policy to allow locally issued SHA-1 certificates. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 { | 1 { |
| 2 # policy_templates.json - Metafile for policy templates | 2 # policy_templates.json - Metafile for policy templates |
| 3 # | 3 # |
| 4 # The content of this file is evaluated as a Python expression. | 4 # The content of this file is evaluated as a Python expression. |
| 5 # | 5 # |
| 6 # This file is used as input to generate the following policy templates: | 6 # This file is used as input to generate the following policy templates: |
| 7 # ADM, ADMX+ADML, MCX/plist and html documentation. | 7 # ADM, ADMX+ADML, MCX/plist and html documentation. |
| 8 # | 8 # |
| 9 # Policy templates are user interface definitions or documents about the | 9 # Policy templates are user interface definitions or documents about the |
| 10 # policies that can be used to configure Chrome. Each policy is a name-value | 10 # policies that can be used to configure Chrome. Each policy is a name-value |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 130 # templates and documentation. The policy definition list that Chrome sees | 130 # templates and documentation. The policy definition list that Chrome sees |
| 131 # will include policies marked with 'future'. If a WIP policy isn't meant to | 131 # will include policies marked with 'future'. If a WIP policy isn't meant to |
| 132 # be seen by the policy providers either, the 'supported_on' key should be set | 132 # be seen by the policy providers either, the 'supported_on' key should be set |
| 133 # to an empty list. | 133 # to an empty list. |
| 134 # | 134 # |
| 135 # IDs: | 135 # IDs: |
| 136 # Since a Protocol Buffer definition is generated from this file, unique and | 136 # Since a Protocol Buffer definition is generated from this file, unique and |
| 137 # persistent IDs for all fields (but not for groups!) are needed. These are | 137 # persistent IDs for all fields (but not for groups!) are needed. These are |
| 138 # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, | 138 # specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs, |
| 139 # because doing so would break the deployed wire format! | 139 # because doing so would break the deployed wire format! |
| 140 # For your editing convenience: highest ID currently used: 339 | 140 # For your editing convenience: highest ID currently used: 340 |
| 141 # | 141 # |
| 142 # Placeholders: | 142 # Placeholders: |
| 143 # The following placeholder strings are automatically substituted: | 143 # The following placeholder strings are automatically substituted: |
| 144 # $1 -> Google Chrome / Chromium | 144 # $1 -> Google Chrome / Chromium |
| 145 # $2 -> Google Chrome OS / Chromium OS | 145 # $2 -> Google Chrome OS / Chromium OS |
| 146 # $3 -> Google Chrome Frame / Chromium Frame | 146 # $3 -> Google Chrome Frame / Chromium Frame |
| 147 # $6 is reserved for doc_writer | 147 # $6 is reserved for doc_writer |
| 148 # | 148 # |
| 149 # Device Policy: | 149 # Device Policy: |
| 150 # An additional flag 'device_only' (optional, defaults to False) indicates | 150 # An additional flag 'device_only' (optional, defaults to False) indicates |
| (...skipping 4459 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 4610 'id': 235, | 4610 'id': 235, |
| 4611 'caption': '''Whether online OCSP/CRL checks are required for local trust anchors''', | 4611 'caption': '''Whether online OCSP/CRL checks are required for local trust anchors''', |
| 4612 'tags': [], | 4612 'tags': [], |
| 4613 'desc': '''When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Goo gle Chrome</ex></ph> will always perform revocation checking for server certific ates that successfully validate and are signed by locally-installed CA certifica tes. | 4613 'desc': '''When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Goo gle Chrome</ex></ph> will always perform revocation checking for server certific ates that successfully validate and are signed by locally-installed CA certifica tes. |
| 4614 | 4614 |
| 4615 If <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is unable to obta in revocation status information, such certificates will be treated as revoked ( 'hard-fail'). | 4615 If <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is unable to obta in revocation status information, such certificates will be treated as revoked ( 'hard-fail'). |
| 4616 | 4616 |
| 4617 If this policy is not set, or it is set to false, then <ph name="PRODUCT_N AME">$1<ex>Google Chrome</ex></ph> will use the existing online revocation check ing settings.''', | 4617 If this policy is not set, or it is set to false, then <ph name="PRODUCT_N AME">$1<ex>Google Chrome</ex></ph> will use the existing online revocation check ing settings.''', |
| 4618 }, | 4618 }, |
| 4619 { | 4619 { |
| 4620 'name': 'EnableSha1ForLocalAnchors', | |
| 4621 'type': 'main', | |
| 4622 'schema': { 'type': 'boolean' }, | |
| 4623 'supported_on': ['chrome.*:54-', 'chrome_os:54-', 'android:54-'], | |
| 4624 'features': { | |
| 4625 'dynamic_refresh': True, | |
| 4626 'per_profile': False, | |
| 4627 }, | |
| 4628 'example_value': False, | |
| 4629 'id': 340, | |
| 4630 'caption': '''Whether SHA-1 signed certificates issued by local trust anch ors are allowed''', | |
| 4631 'tags': ['system-security'], | |
| 4632 'desc': '''When this setting is enabled, <ph name="PRODUCT_NAME">$1<ex>Goo gle Chrome</ex></ph> will allow SHA-1 signed certificates as long as they succes sfully validate and chain to a locally-installed CA certificates. | |
|
Thiemo Nagel
2016/08/12 13:12:44
Style nit: I'd suggest to use present tense.
mattm
2016/08/12 20:48:14
Done.
| |
| 4633 | |
| 4634 Note that this policy depends on the operating system certificate verifica tion stack allowing SHA-1 signatures. If an OS update changes the OS handling of SHA-1 certificates, this policy may no longer have effect. Further, this polic y is intended as a temporary workaround to give enterprises more time to move aw ay from SHA-1. This policy will be removed on or around January 1st 2019. | |
| 4635 | |
| 4636 If this policy is not set, or it is set to false, then <ph name="PRODUCT_N AME">$1<ex>Google Chrome</ex></ph> will follow the publicly announced SHA-1 depr ecation schedule.''', | |
|
Thiemo Nagel
2016/08/12 13:12:45
Same here, suggest to use present tense.
mattm
2016/08/12 20:48:14
Done.
| |
| 4637 }, | |
| 4638 { | |
| 4620 'name': 'ForceEphemeralProfiles', | 4639 'name': 'ForceEphemeralProfiles', |
| 4621 'type': 'main', | 4640 'type': 'main', |
| 4622 'schema': { 'type': 'boolean' }, | 4641 'schema': { 'type': 'boolean' }, |
| 4623 'supported_on': ['chrome.*:32-'], | 4642 'supported_on': ['chrome.*:32-'], |
| 4624 'features': { | 4643 'features': { |
| 4625 'dynamic_refresh': False, | 4644 'dynamic_refresh': False, |
| 4626 'per_profile': True, | 4645 'per_profile': True, |
| 4627 }, | 4646 }, |
| 4628 'example_value': True, | 4647 'example_value': True, |
| 4629 'id': 245, | 4648 'id': 245, |
| (...skipping 4304 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 8934 'desc': '''Text appended in parentheses next to the policies top-level con tainer to indicate that those policies are of the Recommended level''', | 8953 'desc': '''Text appended in parentheses next to the policies top-level con tainer to indicate that those policies are of the Recommended level''', |
| 8935 'text': 'Default Settings (users can override)', | 8954 'text': 'Default Settings (users can override)', |
| 8936 }, | 8955 }, |
| 8937 'doc_complex_policies_on_windows': { | 8956 'doc_complex_policies_on_windows': { |
| 8938 'desc': '''Text pointing the user to a help article for complex policies o n Windows''', | 8957 'desc': '''Text pointing the user to a help article for complex policies o n Windows''', |
| 8939 'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POL ICIES_URL">https://www.chromium.org/administrators/complex-policies-on-windows<e x>https://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>' '', | 8958 'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POL ICIES_URL">https://www.chromium.org/administrators/complex-policies-on-windows<e x>https://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>' '', |
| 8940 }, | 8959 }, |
| 8941 }, | 8960 }, |
| 8942 'placeholders': [], | 8961 'placeholders': [], |
| 8943 } | 8962 } |
| OLD | NEW |
