Certificate Transparency in an internal network

[Jorge Cuadrado]

 Hi,

I would like to know if it's possible to use Chrome browser auditor with a log server which runs in an internal network which doesn't have internet connection.

I don't know if it's possible to add the internal log server to the Chrome browser using and extension, script or configuration.

Thanks!

[Rob Percival]

There's currently no way to add additional CT logs to Chrome, short of recompiling it. May I ask why you want to add one?

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jorge Cuadrado]

The matter is how to avoid the Chrome warning when it starts to use CT by default since in an internal network won't be possible to comunicate with the log servers. So I'm wondering if it's possible to deploy my own internal log server or disable CT check for some domains with a chrome extension or a script.

El miércoles, 14 de junio de 2017, 16:27:26 (UTC+2), Rob Percival escribió:

There's currently no way to add additional CT logs to Chrome, short of recompiling it. May I ask why you want to add one?

On Wed, 14 Jun 2017 at 14:20 Jorge Cuadrado <jorgecua...@gmail.com> wrote:

 Hi,

I would like to know if it's possible to use Chrome browser auditor with a log server which runs in an internal network which doesn't have internet connection.

I don't know if it's possible to add the internal log server to the Chrome browser using and extension, script or configuration.

Thanks!

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.

To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.

[Rob Percival]

Chrome doesn't communicate with the CT logs while verifying a certificate. It simply checks that sufficient valid SCTs (Signed Certificate Timestamps) were provided, either embedded in the certificate, provided by the web server (via a TLS extension) or provided by the CA (via an OCSP extension). Therefore, it should work even on a network that has no internet connection.

To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "certificate-transparency" group.

To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.

[Kurt Roeckx]

On Wed, Jun 14, 2017 at 08:47:07AM -0700, Jorge Cuadrado wrote:
> The matter is how to avoid the Chrome warning when it starts to use CT by
> default since in an internal network won't be possible to comunicate with
> the log servers. So I'm wondering if it's possible to deploy my own
> internal log server or disable CT check for some domains with a chrome
> extension or a script.

I think that Chrome doesn't have CT requirements for CAs that you
add manually, so there shouldn't be a CT requirement for internal
only CAs.


Kurt

[Ben Laurie]

That is correct,

 

Kurt