Changes to Certificate Transparency in Chromium for Embedders/Distributors

19 views
Skip to first unread message

Ryan Sleevi

unread,
Aug 29, 2019, 7:49:39 PM8/29/19
to Chromium Embedders
Hey all,

I just wanted to note for folks that, as of https://crrev.com/691802, Certificate Transparency is disabled for Chromium and Chromium-derived builds (i.e. those builds that build from src/chrome)

Certificate Transparency has long been disabled-by-default for //content embedders, and the reasoning for that is covered in https://chromium.googlesource.com/chromium/src/+/master/net/docs/certificate-transparency.md#Supporting-Certificate-Transparency-for-Embedders

This change now propagates to Chromium builds (i.e. those built without GOOGLE_CHROME_BRANDING), and also only applies to OFFICIAL_BUILDS. This doesn't change anything for mobile (iOS, Android), where Chrome continues to not enforce Certificate Transparency. For //content-embedders, this now requires additional configuration be passed through the Mojo interfaces.

Before considering enabling Certificate Transparency, such as by locally patching out those changes, please revisit the documentation and motivation. The key requirement to successfully deploying Certificate Transparency remains that agility is needed. You need a "fresh" list of logs and the ability to update this log list, and disable if the list has not been updated in some time. The requirement of OFFICIAL_BUILD ensures deterministic disabling, and the requirement of GOOGLE_CHROME_BANDING ensures guaranteed reliable freshness and update capability.

Enabling Certificate Transparency without these two capabilities can have negative consequences for your product or the ecosystem. If you do re-enable Certificate Transparency, please strongly consider participating in ct-p...@chromium.org, to join in discussions not just regarding Chromium, but with other user agents, such as Apple and Mozilla. This helps minimize risk to the ecosystem from incompatible or outdated changes.

We're continuing to explore how best to enable Certificate Transparency for mobile versions of Chrome, as well as for Chromium embedders that make use of the Component Updater, so expect this code to change and improve in time.
Reply all
Reply to author
Forward
0 new messages