Defang the CT Timebomb

Defang the CT Timebomb

A timebomb existed that if the set of known CT logs goes stale,
no certificate can comply with the Certificate Transparency
policy, beause the logs may be out of date and not trustworthy. The
set of known logs goes stale 10 weeks after the build date.

While this was acceptable to cause EV certificates to downgrade to
DV certificates, this also means that certificates issued by CAs
that MUST be CT compliant also fail to work - they fail closed,
rather than fail open. In particular, certificates issued by
Symantec fail to work if it's more than 10 weeks after the build
date - in effect, the default behaviour is to distrust Symantec.

While the proper behaviour is debated - to either fail open (like
HSTS and HPKP do), treating CT as additive, or to fail closed,
treating CT as a restrictive policy that must be made - change
the code to allow an out of date build to skip the CT checks,
failing open.

BUG=664177
Review-Url: https://codereview.chromium.org/2495583002
Cr-Commit-Position: refs/heads/master@{#431707}
(cherry picked from commit ec8e431e9a0f80ace76368ce7edce006f3d409f2)

Committed: https://chromium.googlesource.com/chromium/src/+/98538c32c96bed2d6d68d89cb4d06c49b8f5e0b5

[Ryan Sleevi, 2016-11-16 22:44:32]

Description was changed from

==========
Defang the CT Timebomb

A timebomb existed that if the set of known CT logs goes stale,
no certificate can comply with the Certificate Transparency
policy, beause the logs may be out of date and not trustworthy. The
set of known logs goes stale 10 weeks after the build date.

While this was acceptable to cause EV certificates to downgrade to
DV certificates, this also means that certificates issued by CAs
that MUST be CT compliant also fail to work - they fail closed,
rather than fail open. In particular, certificates issued by
Symantec fail to work if it's more than 10 weeks after the build
date - in effect, the default behaviour is to distrust Symantec.

While the proper behaviour is debated - to either fail open (like
HSTS and HPKP do), treating CT as additive, or to fail closed,
treating CT as a restrictive policy that must be made - change
the code to allow an out of date build to skip the CT checks,
failing open.

BUG=664177

Review-Url: https://codereview.chromium.org/2495583002
Cr-Commit-Position: refs/heads/master@{#431707}
(cherry picked from commit ec8e431e9a0f80ace76368ce7edce006f3d409f2)
==========

to

==========
Defang the CT Timebomb

A timebomb existed that if the set of known CT logs goes stale,
no certificate can comply with the Certificate Transparency
policy, beause the logs may be out of date and not trustworthy. The
set of known logs goes stale 10 weeks after the build date.

While this was acceptable to cause EV certificates to downgrade to
DV certificates, this also means that certificates issued by CAs
that MUST be CT compliant also fail to work - they fail closed,
rather than fail open. In particular, certificates issued by
Symantec fail to work if it's more than 10 weeks after the build
date - in effect, the default behaviour is to distrust Symantec.

While the proper behaviour is debated - to either fail open (like
HSTS and HPKP do), treating CT as additive, or to fail closed,
treating CT as a restrictive policy that must be made - change
the code to allow an out of date build to skip the CT checks,
failing open.

BUG=664177

Review-Url: https://codereview.chromium.org/2495583002
Cr-Commit-Position: refs/heads/master@{#431707}
(cherry picked from commit ec8e431e9a0f80ace76368ce7edce006f3d409f2)

Committed:
https://chromium.googlesource.com/chromium/src/+/98538c32c96bed2d6d68d89cb4d0...
==========

[Ryan Sleevi, 2016-11-16 22:44:32]

Committed patchset #1 (id:1) manually as
98538c32c96bed2d6d68d89cb4d06c49b8f5e0b5.