-
rsleevi authored
hosts as exempt from Certificate Transparency policy. This introduces a policy (CertificateTransparencyEnforcementDisabledForUrls) that allows exempting certain hostnames from the Certificate Transparency requirements. Some CAs, such as Symantec and CNNIC at present, are required to disclose their certificates via CT in order to have them trusted; any certificate not disclosed is not trusted. However, to accomodate some enterprise users who have the capability to manage Chromium consumers, but cannot manage other certificate-consuming systems on their network, and which need certificates from these CAs, and which claim that they cannot have these hosts disclosed publicly (e.g. "topsecret.internal.example.com"), this provides a policy mechanism to allow those hosts to be exempted from CT requirement. This is not a blanket policy for general hosts on the Internet; in general, all certificates from these CAs must conform, unless the device is enterprise managed. Whether or not this policy ends up being temporary or not depends on the IETF and CA community, and whether or not a suitable technical means of redaction can be devised which allows redaction (e.g. "?.?.example.com") to be safely performed. For now and the foreseeable future, redaction is not viable for Chromium, so the enterprise policy is offered as an alternative. BUG=620178 TBR=atwilson@chromium.org Review-Url: https://codereview.chromium.org/2102783003 Cr-Commit-Position: refs/heads/master@{#403125}
96356f8d