All,
The Chrome Root Program Policy states that CA certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to incidents. When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.
On numerous instances over the last three years, e-commerce monitoring GmbH fell short of the above expectations (e.g., [1],[2],[3],[4],[5],[6],[7],[8]). In light of this, we have reached the conclusion that the GLOBALTRUST 2020 certificates suffer from a loss of integrity and action is required from the perspective of ensuring web security for Chrome users. To safeguard Chrome’s users, we are taking the following action.
Upcoming change in Chrome 124 and higher:
This approach attempts to minimize disruption to existing e-commerce monitoring GmbH subscribers, using a new Chrome feature to remove default trust based on the SCTs in certificates.
Thank you
-Chris, on behalf of the Chrome Root Program
Hi Andrew,
1. Are SCTs from any log accepted, or only logs that are Qualified/Usable/Readonly?
The latter. We’re relying only on SCTs from logs considered trusted in Chrome (i.e., Qualified/Usable/Readonly).
2. I'm curious if you or anyone else is aware of efforts to audit CT log entries for backdated timestamps?
We’re not aware of any existing efforts to actively detect backdated timestamps. It might be worth also exploring this question with ct-p...@chromium.org.
Thank you
-Chris