Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CT Policy to reflect requirement for CT for all certs issued after 2018. #17

Open
tsellers-r7 opened this issue Sep 7, 2018 · 4 comments
Open

Update CT Policy to reflect requirement for CT for all certs issued after 2018. #17

tsellers-r7 opened this issue Sep 7, 2018 · 4 comments

Comments

@tsellers-r7
Copy link

tsellers-r7 commented Sep 7, 2018
edited

This post by Devon O'Brien states that:

Since January 2015, Chrome has required that Extended Validation (EV) certificates be CT-compliant in order to receive EV status. In April 2018, this requirement will be extended to all newly-issued publicly-trusted certificates - DV, OV, and EV - and certificates failing to comply with this policy will not be recognized as trusted when evaluated by Chrome. Certificates issued from locally-trusted or enterprise CAs that are added by users or administrators are not subject to this requirement.

Reference: https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/wHILiYf31DE/iMFmpMEkAQAJ

That post links to the policy in this repository which mentions the CT requirement for EV, doesn't not mention the DV and OV certificates.

Reference: https://github.com/chromium/ct-policy/blob/master/ct_policy.md

Should this be updated or do I misunderstand the new requirements.

CC: @sleevi
@sleevi
Copy link
Contributor

sleevi commented Sep 7, 2018

The intent is to remove the descriptive introduction and leave the normative about CT Qualified.

The subsequent paragraph contains:

In order to improve the security of the Certificate Authority (CA) ecosystem, Google Chrome may require that certificates be considered CT Qualified in order to be recognized as trusted.

For example, Chrome requires this of all certificates issued after April 2018.

@sleevi
Copy link
Contributor

sleevi commented Sep 7, 2018

CC’ing @devonobrien in case he isn’t subscribed to all alerts.

@devonobrien
Copy link
Collaborator

The post is correct and is matched by enforcement in the Chromium codebase.

We have some drafted language updates to the policy that covers this as well as other outdated references in the policy. We'll throw up a PR and discuss on ct-policy@chromium.org soon.

@tsellers-r7
Copy link
Author

tsellers-r7 commented Sep 7, 2018
edited

Thanks for responding. I think Devon's email was pretty clear. I was referencing his email as well as this policy internally and wanted to make sure that my understanding was correct (All publicly trusted certs issued after April 2018 must be in CT) and that the policy document in this repo was the appropriate place to point folks to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests

3 participants
@sleevi @devonobrien @tsellers-r7