Chrome Root store updates
410 views
Skip to first unread message
Yann Droneaud
Apr 7, 2022, 12:42:13 PM4/7/22
to dev-secur...@mozilla.org
(sorry it's probably not the correct mailing list to bring this issue)
Hi,
I'm following the changes made on chromium sources on the root store :
https://chromium.googlesource.com/chromium/src.git/+log/refs/heads/main/net/data/ssl/chrome_root_store
1. ccb8b9d
<https://chromium.googlesource.com/chromium/src.git/+/ccb8b9d1c624f73c0a547aebf9a57280bef30fe1>
Automatic update from google3
<https://chromium.googlesource.com/chromium/src.git/+/ccb8b9d1c624f73c0a547aebf9a57280bef30fe1>
by CT Log list updates bot · 2 days ago
2. adce2c1
<https://chromium.googlesource.com/chromium/src.git/+/adce2c112ae3a4cfdfdd1f2b222f3cc99b3c0179>
Automatic update from google3
<https://chromium.googlesource.com/chromium/src.git/+/adce2c112ae3a4cfdfdd1f2b222f3cc99b3c0179>
by CT Log list updates bot · 6 days ago
3. e88918b5
<https://chromium.googlesource.com/chromium/src.git/+/e88918b508d19a6434ef0e01790e04c391cf1935>
Automatic update from google3
<https://chromium.googlesource.com/chromium/src.git/+/e88918b508d19a6434ef0e01790e04c391cf1935>
by CT Log list updates bot · 7 days ago
4. 70c5ff7
<https://chromium.googlesource.com/chromium/src.git/+/70c5ff7005040b405ee6abb0af8db6d15ade9561>
Automatic update from google3
<https://chromium.googlesource.com/chromium/src.git/+/70c5ff7005040b405ee6abb0af8db6d15ade9561>
by CT Log list updates bot · 6 weeks ago
5. 8f37729
<https://chromium.googlesource.com/chromium/src.git/+/8f377296a7a0a23a007a9178465c0f276e45114d>
Add OWNERS file to allow bot updates of root_store files.
<https://chromium.googlesource.com/chromium/src.git/+/8f377296a7a0a23a007a9178465c0f276e45114d>
by Hubert Chao · 7 weeks ago
6. 0eadd64
<https://chromium.googlesource.com/chromium/src.git/+/0eadd64b82cfd8455589b1076e114a1467f0f751>
Keep all the certificates in the root store in a single file
<https://chromium.googlesource.com/chromium/src.git/+/0eadd64b82cfd8455589b1076e114a1467f0f751>
by David Benjamin · 7 weeks ago
7. c93e561
<https://chromium.googlesource.com/chromium/src.git/+/c93e561dfed48cc1b783da31d895c999ea645c30>
Merge ev_store_tool and root_store_tool to use the same code gen
tool,
<https://chromium.googlesource.com/chromium/src.git/+/c93e561dfed48cc1b783da31d895c999ea645c30>
by Hubert Chao · 3 months ago
8. e8de2ff
<https://chromium.googlesource.com/chromium/src.git/+/e8de2ffc0a338aae082459f50cb4c0b3b993c5cd>
root_store_tool: Write a depfile to avoid manually listing indirect
dependencies
<https://chromium.googlesource.com/chromium/src.git/+/e8de2ffc0a338aae082459f50cb4c0b3b993c5cd>
by David Benjamin · 3 months ago
9. babf00e
<https://chromium.googlesource.com/chromium/src.git/+/babf00e7c4f702bd3faac5741d2a6545b4377110>
Remove 3 expired roots from chrome root store and 2 roots that are
<https://chromium.googlesource.com/chromium/src.git/+/babf00e7c4f702bd3faac5741d2a6545b4377110>
by Hubert Chao · 4 months ago
10. 02ed30b3
<https://chromium.googlesource.com/chromium/src.git/+/02ed30b3d019f90006a4cfb3961604b09f93a165>
Adjust Chrome Root Store code generation tool to allow for relative
paths to be handled correctly.
<https://chromium.googlesource.com/chromium/src.git/+/02ed30b3d019f90006a4cfb3961604b09f93a165>
by Hubert Chao · 7 months ago
11. 45ba98fa
<https://chromium.googlesource.com/chromium/src.git/+/45ba98fa54bc776d80c63693d0dc615b3fa45e88>
Fix chrome root store codegen for cross-compile builds.
<https://chromium.googlesource.com/chromium/src.git/+/45ba98fa54bc776d80c63693d0dc615b3fa45e88>
by Hubert Chao · 7 months ago
12. a98de1c6
<https://chromium.googlesource.com/chromium/src.git/+/a98de1c6b2e34feb941b7d81be25375fb41786da>
Switch directory structure for Chrome Root Store data to be simpler,
and change the root_store_tool to match.
<https://chromium.googlesource.com/chromium/src.git/+/a98de1c6b2e34feb941b7d81be25375fb41786da>
by Hubert Chao · 9 months ago
13. 7c39043
<https://chromium.googlesource.com/chromium/src.git/+/7c390438e040808f75fe5e16f9b4fad98385ed54>
Add Chrome Trust Store to net/cert/internals, plumb it through to
<https://chromium.googlesource.com/chromium/src.git/+/7c390438e040808f75fe5e16f9b4fad98385ed54>
by Hubert Chao · 9 months ago
14. 14a7cc8
<https://chromium.googlesource.com/chromium/src.git/+/14a7cc85742483f071b7e3f9e6d45d1161d075e5>
Add C++ include generation to root_store_tool, build-flag guarded.
<https://chromium.googlesource.com/chromium/src.git/+/14a7cc85742483f071b7e3f9e6d45d1161d075e5>
by Hubert Chao · 10 months ago
15. caa2438
<https://chromium.googlesource.com/chromium/src.git/+/caa2438f516fe141607e5f76dd10b03ccf2451e7>
Chrome root store: PEM files and skeleton of codegen tool
<https://chromium.googlesource.com/chromium/src.git/+/caa2438f516fe141607e5f76dd10b03ccf2451e7>
by Hubert Chao · 10 months ago
It's a pity the recent changes adding/removing some certificates have
the rather unuseful commit message: "Automatic update from google3".
It's looking a bit opaque from my point of view, especially when
compared with Mozilla's root store updates.
https://g.co/chrome/root-policy doesn't gives any hint, but is there any
public mailing list where CA addition/removal are discussed before being
checked in google3 ?
Regards.
--
Yann Droneaud
OPTEYA
Hi,
I'm following the changes made on chromium sources on the root store :
https://chromium.googlesource.com/chromium/src.git/+log/refs/heads/main/net/data/ssl/chrome_root_store
1. ccb8b9d
<https://chromium.googlesource.com/chromium/src.git/+/ccb8b9d1c624f73c0a547aebf9a57280bef30fe1>
Automatic update from google3
<https://chromium.googlesource.com/chromium/src.git/+/ccb8b9d1c624f73c0a547aebf9a57280bef30fe1>
by CT Log list updates bot · 2 days ago
2. adce2c1
<https://chromium.googlesource.com/chromium/src.git/+/adce2c112ae3a4cfdfdd1f2b222f3cc99b3c0179>
Automatic update from google3
<https://chromium.googlesource.com/chromium/src.git/+/adce2c112ae3a4cfdfdd1f2b222f3cc99b3c0179>
by CT Log list updates bot · 6 days ago
3. e88918b5
<https://chromium.googlesource.com/chromium/src.git/+/e88918b508d19a6434ef0e01790e04c391cf1935>
Automatic update from google3
<https://chromium.googlesource.com/chromium/src.git/+/e88918b508d19a6434ef0e01790e04c391cf1935>
by CT Log list updates bot · 7 days ago
4. 70c5ff7
<https://chromium.googlesource.com/chromium/src.git/+/70c5ff7005040b405ee6abb0af8db6d15ade9561>
Automatic update from google3
<https://chromium.googlesource.com/chromium/src.git/+/70c5ff7005040b405ee6abb0af8db6d15ade9561>
by CT Log list updates bot · 6 weeks ago
5. 8f37729
<https://chromium.googlesource.com/chromium/src.git/+/8f377296a7a0a23a007a9178465c0f276e45114d>
Add OWNERS file to allow bot updates of root_store files.
<https://chromium.googlesource.com/chromium/src.git/+/8f377296a7a0a23a007a9178465c0f276e45114d>
by Hubert Chao · 7 weeks ago
6. 0eadd64
<https://chromium.googlesource.com/chromium/src.git/+/0eadd64b82cfd8455589b1076e114a1467f0f751>
Keep all the certificates in the root store in a single file
<https://chromium.googlesource.com/chromium/src.git/+/0eadd64b82cfd8455589b1076e114a1467f0f751>
by David Benjamin · 7 weeks ago
7. c93e561
<https://chromium.googlesource.com/chromium/src.git/+/c93e561dfed48cc1b783da31d895c999ea645c30>
Merge ev_store_tool and root_store_tool to use the same code gen
tool,
<https://chromium.googlesource.com/chromium/src.git/+/c93e561dfed48cc1b783da31d895c999ea645c30>
by Hubert Chao · 3 months ago
8. e8de2ff
<https://chromium.googlesource.com/chromium/src.git/+/e8de2ffc0a338aae082459f50cb4c0b3b993c5cd>
root_store_tool: Write a depfile to avoid manually listing indirect
dependencies
<https://chromium.googlesource.com/chromium/src.git/+/e8de2ffc0a338aae082459f50cb4c0b3b993c5cd>
by David Benjamin · 3 months ago
9. babf00e
<https://chromium.googlesource.com/chromium/src.git/+/babf00e7c4f702bd3faac5741d2a6545b4377110>
Remove 3 expired roots from chrome root store and 2 roots that are
<https://chromium.googlesource.com/chromium/src.git/+/babf00e7c4f702bd3faac5741d2a6545b4377110>
by Hubert Chao · 4 months ago
10. 02ed30b3
<https://chromium.googlesource.com/chromium/src.git/+/02ed30b3d019f90006a4cfb3961604b09f93a165>
Adjust Chrome Root Store code generation tool to allow for relative
paths to be handled correctly.
<https://chromium.googlesource.com/chromium/src.git/+/02ed30b3d019f90006a4cfb3961604b09f93a165>
by Hubert Chao · 7 months ago
11. 45ba98fa
<https://chromium.googlesource.com/chromium/src.git/+/45ba98fa54bc776d80c63693d0dc615b3fa45e88>
Fix chrome root store codegen for cross-compile builds.
<https://chromium.googlesource.com/chromium/src.git/+/45ba98fa54bc776d80c63693d0dc615b3fa45e88>
by Hubert Chao · 7 months ago
12. a98de1c6
<https://chromium.googlesource.com/chromium/src.git/+/a98de1c6b2e34feb941b7d81be25375fb41786da>
Switch directory structure for Chrome Root Store data to be simpler,
and change the root_store_tool to match.
<https://chromium.googlesource.com/chromium/src.git/+/a98de1c6b2e34feb941b7d81be25375fb41786da>
by Hubert Chao · 9 months ago
13. 7c39043
<https://chromium.googlesource.com/chromium/src.git/+/7c390438e040808f75fe5e16f9b4fad98385ed54>
Add Chrome Trust Store to net/cert/internals, plumb it through to
<https://chromium.googlesource.com/chromium/src.git/+/7c390438e040808f75fe5e16f9b4fad98385ed54>
by Hubert Chao · 9 months ago
14. 14a7cc8
<https://chromium.googlesource.com/chromium/src.git/+/14a7cc85742483f071b7e3f9e6d45d1161d075e5>
Add C++ include generation to root_store_tool, build-flag guarded.
<https://chromium.googlesource.com/chromium/src.git/+/14a7cc85742483f071b7e3f9e6d45d1161d075e5>
by Hubert Chao · 10 months ago
15. caa2438
<https://chromium.googlesource.com/chromium/src.git/+/caa2438f516fe141607e5f76dd10b03ccf2451e7>
Chrome root store: PEM files and skeleton of codegen tool
<https://chromium.googlesource.com/chromium/src.git/+/caa2438f516fe141607e5f76dd10b03ccf2451e7>
by Hubert Chao · 10 months ago
It's a pity the recent changes adding/removing some certificates have
the rather unuseful commit message: "Automatic update from google3".
It's looking a bit opaque from my point of view, especially when
compared with Mozilla's root store updates.
https://g.co/chrome/root-policy doesn't gives any hint, but is there any
public mailing list where CA addition/removal are discussed before being
checked in google3 ?
Regards.
--
Yann Droneaud
OPTEYA
Ryan Dickson
Apr 7, 2022, 2:52:49 PM4/7/22
to Yann Droneaud, dev-secur...@mozilla.org
Hi Yann,
Our team continues to make preparations to launch the Chrome Root Store later this year. What you observe in the commit history is a set of changes that update the format and collection of initial root CAs targeted for inclusion in the Chrome Root Store, summarized below.
Recent updates:
removing CA certificates whose corresponding CA operator has requested their removal (described further in 1 and 2)
adding CA certificates for CAs that satisfy the criteria outlined in our existing policy
replacing existing CA certificates with the most recent versions (due to certificate modification)
Expect to see additional updates in the coming weeks and months as we prepare for launch.
To be clear, none of the removals you observed are distrust events.
Regarding your interest in increased transparency, we’re working to address your concern. But first, we’re focused on completing our engineering efforts related to the Chrome Certificate Verifier and the Chrome Root Store (observed above), finalizing updates to our policies, defining our application process, and integrating our program and corresponding root store with CCADB.
For any questions related to the Chrome Root Program in the meantime - please feel free to email us at chrome-ro...@google.com.
Thanks,
Ryan
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/8c0ccf7f-1bde-21a4-d6c2-c110a50819e0%40opteya.com.
Reply all
Reply to author
Forward
0 new messages