emedder questions RE: disabling BuiltinCertificateVerifierEnabled enterprise policy (on mac)
Erik Anderson
<moving this over to embedder-dev>
Yes, the issue I saw looks quite similar to 1351985 in terms of it reporting ERR_CERT_AUTHORITY_INVALID.
In the situation I looked at, the cert doesn’t comply with CT requirements (despite chaining to a trusted root) whereas in that existing bug it seems unlikely the cert google.com is presenting is not compliant (though the end result of a CT failure could, of course, still happen if the Mac verifier has an issue). It also appeared to be a persistent issue affecting all of their machines.
Since it was a fairly esoteric interaction with how they chose to issue their cert and it appeared to be an issue with the macOS resolver that will soon be irrelevant once the built-in resolver is enabled by default, I didn’t do a further follow up in the form of a crbug.
As noted in https://crbug.com/1346444, Edge will likely ship our own root store using the built-in verifier. If we’re going to expose a similar policy, I will likely name it something like BuiltInRootStoreUsed.
Is the M107 change going to change or remove the CHROME_ROOT_STORE_SUPPORTED build flag? Or is that planned for around M111? If it’s going to stick around until then and am embedder sets it to false, would you anticipate the ChromeRootStoreEnabled policy just controlling if the built-in verifier gets used?
To reiterate the reason I’m asking these questions: I’m trying to determine if I now have less time than I previously anticipated to get our own PKI Metadata component stood up.
From: Erik Anderson
Sent: Wednesday, August 31, 2022 5:09 PM
To: 'Matt Mueller' <ma...@google.com>
Cc: chromium-...@chromium.org
Subject: RE: disabling BuiltinCertificateVerifierEnabled enterprise policy (on mac)
I have some more questions, but they’re centered around embedder-specific concerns. I’m going to drop chromium-...@chromium.org and add embedd...@chromium.org for my next reply.
From: 'Matt Mueller' via chromium-enterprise <chromium-...@chromium.org>
Sent: Wednesday, August 31, 2022 4:26 PM
To: Erik Anderson <Erik.A...@microsoft.com>
Cc: chromium-...@chromium.org
Subject: Re: disabling BuiltinCertificateVerifierEnabled enterprise policy (on mac)
On Wed, Aug 31, 2022 at 3:26 PM Erik Anderson <Erik.A...@microsoft.com> wrote:
Hi Matt,
Thanks for the heads up.
To make sure I’m parsing the plan, can you confirm if my understanding is correct?: The built-in certificate verifier is currently disabled by default on Mac, but can be turned on with the CertVerifierBuiltin or ChromeRootStoreUsed feature via Finch. Moving forward, you will only support switching on or off the built-in cert verifier via policy if the embedder/user is also okay with the effect of enabling/disabling the use of the Chrome Root Store.
Correct.
Or, asked differently: what will happen if the ChromeRootStoreUsed policy is disabled after this change happens? Will the built-in verifier still be used (i.e. the new state is it’s always used on Mac) or will the built-in verifier be disabled as well?
If ChromeRootStoreUsed policy is disabled, the built-in verifier would also be disabled.
In what milestone are you planning to remove support for the BuiltinCertificateVerifierEnabled policy? M107?
Yes, I was planning on removing it in M107.
The reason I ask is that, as an embedder, we have encountered at least one enterprise that encountered issues with the Cert Transparency bypass policies on Mac which appeared to be an interaction with macOS verifier interactions;
Not sure, but I believe you might be referring to https://crbug.com/1351985?
Sorry there is not actually much useful details in the bug, but you can star the bug and we'll be updating it if we receive updates from Apple about the issue.
If it is the same issue, a workaround for now is just to reboot a machine when it gets into that state.
the issue went away when they enabled BuiltinCertificateVerifierEnabled. This change could potentially require us to add a new policy to do something to continue to allow the built-in verifier without taking the Chrome Root Store, but we’re not yet ready to produce our own PKI Metadata component to ship our own Microsoft root store. In other words, the timing is potentially challenging for us.
Thanks!
From: 'Matt Mueller' via chromium-enterprise <chromium-...@chromium.org>
Sent: Wednesday, August 31, 2022 2:59 PM
To: chromium-...@chromium.org
Subject: disabling BuiltinCertificateVerifierEnabled enterprise policy (on mac)
We are going to disable the BuiltinCertificateVerifierEnabled enterprise policy, which is currently still supported on Mac, and which was previously used on Linux and ChromeOS as well. We have stopped the launch related to that policy on Mac and instead are proceeding with the Chrome Root Store launch (and the ChromeRootStoreEnabled policy).
The new policy was already included/announced in M105, so this shouldn't be a surprise to enterprises, and will only affect anyone who was explicitly setting the old policy to true to force the new verifier on regardless of the launch status. The old policy (and the new policy) are explicitly documented as time-limited escape hatch policies.
--
You received this message because you are subscribed to the Google Groups "chromium-enterprise" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-enterp...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-enterprise/CAMFW8HGJnQZXCWK0yA-pvhppSwfWLWnM-epa1dG8vn0_YTpT6Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "chromium-enterprise" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
chromium-enterp...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/chromium-enterprise/CAMFW8HEc7oFEpZ33jZXRnASGXyQGn0DncSKLhy2xMnVCytDsGA%40mail.gmail.com.