Defang the CT Timebomb

Defang the CT Timebomb

A timebomb existed that if the set of known CT logs goes stale,
no certificate can comply with the Certificate Transparency
policy, beause the logs may be out of date and not trustworthy. The
set of known logs goes stale 10 weeks after the build date.

While this was acceptable to cause EV certificates to downgrade to
DV certificates, this also means that certificates issued by CAs
that MUST be CT compliant also fail to work - they fail closed,
rather than fail open. In particular, certificates issued by
Symantec fail to work if it's more than 10 weeks after the build
date - in effect, the default behaviour is to distrust Symantec.

While the proper behaviour is debated - to either fail open (like
HSTS and HPKP do), treating CT as additive, or to fail closed,
treating CT as a restrictive policy that must be made - change
the code to allow an out of date build to skip the CT checks,
failing open.

BUG=664177
Committed: https://crrev.com/ec8e431e9a0f80ace76368ce7edce006f3d409f2
Cr-Commit-Position: refs/heads/master@{#431707}

[Ryan Sleevi, 2016-11-10 17:18:05]

rsleevi@chromium.org changed reviewers:
+ davidben@chromium.org

[davidben, 2016-11-11 12:52:54]

lgtm

[Ryan Sleevi, 2016-11-11 22:49:24]

The CQ bit was checked by rsleevi@chromium.org

[commit-bot: I haz the power, 2016-11-11 22:49:46]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-12 00:32:58]

Committed patchset #1 (id:1)

[commit-bot: I haz the power, 2016-11-12 00:36:22]

Description was changed from

==========
Defang the CT Timebomb

A timebomb existed that if the set of known CT logs goes stale,
no certificate can comply with the Certificate Transparency
policy, beause the logs may be out of date and not trustworthy. The
set of known logs goes stale 10 weeks after the build date.

While this was acceptable to cause EV certificates to downgrade to
DV certificates, this also means that certificates issued by CAs
that MUST be CT compliant also fail to work - they fail closed,
rather than fail open. In particular, certificates issued by
Symantec fail to work if it's more than 10 weeks after the build
date - in effect, the default behaviour is to distrust Symantec.

While the proper behaviour is debated - to either fail open (like
HSTS and HPKP do), treating CT as additive, or to fail closed,
treating CT as a restrictive policy that must be made - change
the code to allow an out of date build to skip the CT checks,
failing open.

BUG=664177
==========

to

==========
Defang the CT Timebomb

A timebomb existed that if the set of known CT logs goes stale,
no certificate can comply with the Certificate Transparency
policy, beause the logs may be out of date and not trustworthy. The
set of known logs goes stale 10 weeks after the build date.

While this was acceptable to cause EV certificates to downgrade to
DV certificates, this also means that certificates issued by CAs
that MUST be CT compliant also fail to work - they fail closed,
rather than fail open. In particular, certificates issued by
Symantec fail to work if it's more than 10 weeks after the build
date - in effect, the default behaviour is to distrust Symantec.

While the proper behaviour is debated - to either fail open (like
HSTS and HPKP do), treating CT as additive, or to fail closed,
treating CT as a restrictive policy that must be made - change
the code to allow an out of date build to skip the CT checks,
failing open.

BUG=664177

Committed: https://crrev.com/ec8e431e9a0f80ace76368ce7edce006f3d409f2
Cr-Commit-Position: refs/heads/master@{#431707}
==========

[commit-bot: I haz the power, 2016-11-12 00:36:24]

Patchset 1 (id:??) landed as
https://crrev.com/ec8e431e9a0f80ace76368ce7edce006f3d409f2
Cr-Commit-Position: refs/heads/master@{#431707}