net/data/ssl/blacklist/README.md - Issue 2951343002: Remove residual support for SHA-1 public key pins.

Side by Side Diff: net/data/ssl/blacklist/README.md

Issue 2951343002: Remove residual support for SHA-1 public key pins. (Closed)

Patch Set: Remove more code, use SHA-256 for the blacklist, and include the original FRST and India CCA certs. Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« net/cert/cert_verify_proc_builtin.cc ('K') | « net/data/ssl/blacklist/60109bc6c38328598a112c7a25e38b0f23e5a7511cb815fb64e0c4ff05db7df7.pem ('k') | net/data/ssl/blacklist/b9bea7860a962ea3611dab97ab6da3e21c1068b97d55575ed0e11279c11c8932.pem » ('j') | net/http/transport_security_state.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 # Certificate Blacklist	1 # Certificate Blacklist

2	2

3 This directory contains a number of certificates and public keys which are	3 This directory contains a number of certificates and public keys which are

4 considered blacklisted within Chromium-based products.	4 considered blacklisted within Chromium-based products.

5	5

6 When applicable, additional information and the full certificate or key	6 When applicable, additional information and the full certificate or key

7 are included.	7 are included.

8	8

9 ## Compromises & Misissuances	9 ## Compromises & Misissuances

10	10

(...skipping 53 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
64 and <https://technet.microsoft.com/en-us/library/security/2982792.aspx>	64 and <https://technet.microsoft.com/en-us/library/security/2982792.aspx>

65	65

66 An unknown number of misissued certificates were issued by a sub-CA of	66 An unknown number of misissued certificates were issued by a sub-CA of

67 India CCA, the India NIC. Due to the scope of the misissuance, the sub-CA	67 India CCA, the India NIC. Due to the scope of the misissuance, the sub-CA

68 was wholly revoked, and India CCA was constrained to a subset of India's	68 was wholly revoked, and India CCA was constrained to a subset of India's

69 ccTLD namespace.	69 ccTLD namespace.

70	70

71 * [67ed4b703d15dc555f8c444b3a05a32579cb7599bd19c9babe10c584ea327ae0.pem](67ed4 b703d15dc555f8c444b3a05a32579cb7599bd19c9babe10c584ea327ae0.pem)	71 * [67ed4b703d15dc555f8c444b3a05a32579cb7599bd19c9babe10c584ea327ae0.pem](67ed4 b703d15dc555f8c444b3a05a32579cb7599bd19c9babe10c584ea327ae0.pem)

72 * [a8e1dfd9cd8e470aa2f443914f931cfd61c323e94d75827affee985241c35ce5.pem](a8e1d fd9cd8e470aa2f443914f931cfd61c323e94d75827affee985241c35ce5.pem)	72 * [a8e1dfd9cd8e470aa2f443914f931cfd61c323e94d75827affee985241c35ce5.pem](a8e1d fd9cd8e470aa2f443914f931cfd61c323e94d75827affee985241c35ce5.pem)

73 * [e4f9a3235df7330255f36412bc849fb630f8519961ec3538301deb896c953da5.pem](e4f9a 3235df7330255f36412bc849fb630f8519961ec3538301deb896c953da5.pem)	73 * [e4f9a3235df7330255f36412bc849fb630f8519961ec3538301deb896c953da5.pem](e4f9a 3235df7330255f36412bc849fb630f8519961ec3538301deb896c953da5.pem)

	74 * [2d66a702ae81ba03af8cff55ab318afa919039d9f31b4d64388680f81311b65a.pem](2d66a 702ae81ba03af8cff55ab318afa919039d9f31b4d64388680f81311b65a.pem)

	75 * [60109bc6c38328598a112c7a25e38b0f23e5a7511cb815fb64e0c4ff05db7df7.pem](60109 bc6c38328598a112c7a25e38b0f23e5a7511cb815fb64e0c4ff05db7df7.pem)

	76 * [b9bea7860a962ea3611dab97ab6da3e21c1068b97d55575ed0e11279c11c8932.pem](b9bea 7860a962ea3611dab97ab6da3e21c1068b97d55575ed0e11279c11c8932.pem)

	77 * [f375e2f77a108bacc4234894a9af308edeca1acd8fbde0e7aaa9634e9daf7e1c.pem](f375e 2f77a108bacc4234894a9af308edeca1acd8fbde0e7aaa9634e9daf7e1c.pem)
	davidben 2017/06/26 20:15:56 So currently everything in this directory correspo So currently everything in this directory corresponds to an entry in cert_verify_proc_blacklist.inc (although I don't see a script to generate it anywhere...). These aren't blacklisted but name-constrained. Previously the wosign certs were in a separate net/data/ssl/wosign directory and then folded in here when they converted to a straight-up blacklist. Perhaps move these to net/data/ssl/name_constrained/? palmer 2017/06/26 21:32:59 Done. Show quoted text > So currently everything in this directory corresponds to an entry in cert_verify_proc_blacklist.inc (although I don't see a script to generate it anywhere...). These aren't blacklisted but name-constrained. Previously the wosign certs were in a separate net/data/ssl/wosign directory and then folded in here when they converted to a straight-up blacklist. > > Perhaps move these to net/data/ssl/name_constrained/? Done.
74	78

75 ### Trustwave	79 ### Trustwave

76	80

77 For details, see <https://www.trustwave.com/Resources/SpiderLabs-Blog/Clarifying -The-Trustwave-CA-Policy-Update/>	81 For details, see <https://www.trustwave.com/Resources/SpiderLabs-Blog/Clarifying -The-Trustwave-CA-Policy-Update/>

78 and <https://bugzilla.mozilla.org/show_bug.cgi?id=724929>	82 and <https://bugzilla.mozilla.org/show_bug.cgi?id=724929>

79	83

80 Two certificates were issued by Trustwave for use in enterprise	84 Two certificates were issued by Trustwave for use in enterprise

81 Man-in-the-Middle. The following public key was used for both certificates,	85 Man-in-the-Middle. The following public key was used for both certificates,

82 and is revoked.	86 and is revoked.

83	87

(...skipping 126 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
210 For details, see <https://security.googleblog.com/2016/10/distrusting-wosign-and -startcom.html>	214 For details, see <https://security.googleblog.com/2016/10/distrusting-wosign-and -startcom.html>

211	215

212 * [4b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708.pem](4b22d 5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708.pem)	216 * [4b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708.pem](4b22d 5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708.pem)

213 * [7d8ce822222b90c0b14342c7a8145d1f24351f4d1a1fe0edfd312ee73fb00149.pem](7d8ce 822222b90c0b14342c7a8145d1f24351f4d1a1fe0edfd312ee73fb00149.pem)	217 * [7d8ce822222b90c0b14342c7a8145d1f24351f4d1a1fe0edfd312ee73fb00149.pem](7d8ce 822222b90c0b14342c7a8145d1f24351f4d1a1fe0edfd312ee73fb00149.pem)

214 * [8b45da1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem](8b45d a1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem)	218 * [8b45da1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem](8b45d a1c06f791eb0cabf26be588f5fb23165c2e614bf885562d0dce50b29b02.pem)

215 * [c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea.pem](c766a 9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea.pem)	219 * [c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea.pem](c766a 9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea.pem)

216 * [c7ba6567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995.pem](c7ba6 567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995.pem)	220 * [c7ba6567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995.pem](c7ba6 567de93a798ae1faa791e712d378fae1f93c4397fea441bb7cbe6fd5995.pem)

217 * [d487a56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16.pem](d487a 56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16.pem)	221 * [d487a56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16.pem](d487a 56f83b07482e85e963394c1ecc2c9e51d0903ee946b02c301581ed99e16.pem)

218 * [d6f034bd94aa233f0297eca4245b283973e447aa590f310c77f48fdf83112254.pem](d6f03 4bd94aa233f0297eca4245b283973e447aa590f310c77f48fdf83112254.pem)	222 * [d6f034bd94aa233f0297eca4245b283973e447aa590f310c77f48fdf83112254.pem](d6f03 4bd94aa233f0297eca4245b283973e447aa590f310c77f48fdf83112254.pem)

219 * [e17890ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911.pem](e1789 0ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911.pem)	223 * [e17890ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911.pem](e1789 0ee09a3fbf4f48b9c414a17d637b7a50647e9bc752322727fcc1742a911.pem)

OLD	NEW