Removing CertificateTransparencyEnforcementDisabledForLegacyCas policy in M128
1 view
Skip to first unread message
Matt Mueller
Jun 12, 2024, 7:34:22 PM6/12/24
to chromium-enterprise, chrome-secur...@chromium.org
Notifying per https://chromium.googlesource.com/chromium/src/+/main/docs/enterprise/add_new_policy.md#removing-support-for-a-policy
The policy to be removed is
CertificateTransparencyEnforcementDisabledForLegacyCas which, although the policy is still present, no longer has any effect.
CertificateTransparencyEnforcementDisabledForLegacyCas which, although the policy is still present, no longer has any effect.
For the policy to apply the following has to occur:
* The website certificate verifies successfully.
* The root CA is considered by Chrome to be both a "known root" and also a "legacy root".
* Certificate Transparency (CT) enforcement fails.
In this case, the policy can be used to allow the connection to succeed even though CT enforcement failed.
This policy was added in a time where we were using platform verifiers and platform trust stores that contained root CAs that we considered "legacy" in that they may not have not adopted modern security and audit requirements required of publicly-trusted CAs.
Now, however, we use the Chrome certificate verifier and Chrome Root Store on most platforms[1]. In this configuration Chrome does not by default trust any legacy roots. If any roots that previously were considered "legacy" are locally trusted by an enterprise, it would not be considered a "known root" and CT enforcement would not be required, so there is no case where the policy will actually apply anymore.
[1] excepting android webview and ios, but in those cases we do not enforce CT, and this policy is not supported on those configurations.
Therefore, the policy can be safely removed without a deprecation period.
(Note that this removal does not impact two other CT related policies, which will continue to be supported: CertificateTransparencyEnforcementDisabledForUrls and CertificateTransparencyEnforcementDisabledForCas)
* The website certificate verifies successfully.
* The root CA is considered by Chrome to be both a "known root" and also a "legacy root".
* Certificate Transparency (CT) enforcement fails.
In this case, the policy can be used to allow the connection to succeed even though CT enforcement failed.
This policy was added in a time where we were using platform verifiers and platform trust stores that contained root CAs that we considered "legacy" in that they may not have not adopted modern security and audit requirements required of publicly-trusted CAs.
Now, however, we use the Chrome certificate verifier and Chrome Root Store on most platforms[1]. In this configuration Chrome does not by default trust any legacy roots. If any roots that previously were considered "legacy" are locally trusted by an enterprise, it would not be considered a "known root" and CT enforcement would not be required, so there is no case where the policy will actually apply anymore.
[1] excepting android webview and ios, but in those cases we do not enforce CT, and this policy is not supported on those configurations.
Therefore, the policy can be safely removed without a deprecation period.
(Note that this removal does not impact two other CT related policies, which will continue to be supported: CertificateTransparencyEnforcementDisabledForUrls and CertificateTransparencyEnforcementDisabledForCas)
Marijke Hoste
Jun 18, 2024, 4:21:32 PM6/18/24
to Matt Mueller, chrome-secur...@chromium.org
- chromium-...@chromium.org to bcc
Thanks for reaching out, Matt. Based on the context you shared, we agree that the policy can be safely removed and no mention is needed in the release notes.
--
You received this message because you are subscribed to the Google Groups "chromium-enterprise" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-enterp...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-enterprise/b3514788-fdff-4ddf-a7ec-c42c79a6c71bn%40chromium.org.
 |
| ||||||
Reply all
Reply to author
Forward
0 new messages