certificate-transparency.md - OpenGrok cross reference for /external/cronet/net/docs/certificate-transparency.md

Lines Matching full:that
10 append-only data structure that can log certificates that are issued by
17 that the CA is complying with their expected or disclosed practices.
27 We say that a certificate supports Certificate Transparency if it comes with
28 CT information that demonstrates it has been logged in several CT logs. This
31 policy. We sometimes refer to a site that "supports" CT as using a certificate
32 that is "CT qualified" or "disclosed via CT."
38 supports CT through the first method, meaning that when you get a certificate,
45 not support CT, then that generally indicates that your CA is not following
54 that, such as hosting and cloud providers. If you are hosting your own website,
55 you should try to ensure that your certificates support CT, and avoid supporting
61 possible that changes in the CT ecosystem may mean that the CT information may
68 These policies only apply to publicly-trusted CAs - that is, CAs that your
79 Chrome has required that all Extended Validation certificates be disclosed via
80 Certificate Transparency. Certificates that were not properly disclosed would
81 …tcraft.com/archives/2015/08/24/thousands-short-changed-by-ev-certificates-that-dont-display-correc…
82 but no warnings would be shown to visitors to sites that did not comply.
85 Chrome has required that all new certificates issued by the set of root
87 Transparency. Certificates that were not disclosed, or which were not disclosed
90 * For all new certificates issued after 30 April 2018, [Chrome will require that
98 indicates that your CA has not taken steps to make sure your certificate
100 you can get a replacement certificate that works.
104 Supporting CT by disclosing the certificate to a CT Log means that the full
106 particular, this means that the domains a certificate are for will be included
119 Requiring that the full certificate be disclosed if it was issued by a
123 certificates that could be used to compromise users. Certificate Transparency
125 [number of CAs](https://wiki.mozilla.org/CA/Incident_Dashboard), many that the
131 site operators that did not need to hide their domains, those that did, and the
132 security risks that users would face.
136 to support such mechanisms. Domain operators that wish to hide their
151    users that are not part of a single enterprise, then that enterprise can
162 way that is compliant with the Certificate Transparency in Chrome policy.
164 customers by default by this date, meaning that site operators should not have
165 to do anything special and can continue getting certificates that just work on
168 However, there's still a chance that a CA may not have adopted Certificate
170 to their partners, such as resellers or subordinate CAs, to ensure that the
176 certificate with a new one that properly supports CT.
182 Certificate Transparency only applies to CAs that are publicly-trusted - that
183 is, CAs that are supported by your browser or device out of the box, without
186 For CAs that have been manually installed, provided those certificates are not
191 In some cases, an Enterprise may have a locally-trusted CA that has been
201 For Enterprises that have domain names that are internal to their organization,
214 Another option is to request that the publicly-trusted CA not log the
216 but organizations that manage their devices or users can override this through
229 Some Enterprises rely on Certificate Authorities that have not been audited to
232 programs, but may be trusted on one or more platforms that Chrome runs on.
240 Organizations that need to use certificates from these CAs should be aware
241 that their certificates will not be trusted if they do not support CT, and so
242 should look for CAs that do support CT. Alternatively, supporting CT via TLS
243 may be the only way to ensure these certificates continue to work, but that
247 Organizations that need to trust certificates from these CAs, such as when
248 talking to other organizations that need to use these CAs, can configure
256 Several Chrome-specific policies exist that allow Enterprises to configure
273 If you wish to disable CT only for a given hostname, but wish to ensure that
288 This format is very similar to that used by
289 [HTTP Public Key Pinning](https://tools.ietf.org/html/rfc7469) (HPKP), so that
292 hashes to determine how to configure the policy. Note that while both use
300 2. The hash specified is of an intermediate CA, and that intermediate CA has
302    permittedSubtrees of that extension.
303 3. The hash specified is of an intermediate CA, that intermediate CA contains
312 enforcement for certain legacy CAs that have not adopted modern security and
314 tailored towards CAs that are trusted on some platforms that Chrome runs on,
323 file, which means that they are not trusted on ChromeOS or Android, but are
324 trusted on another platform that Chrome runs on.
326 This policy is the riskiest of the three Enterprise policies, in that such
342   CT logs, and validating that the SCTs match the certificate provided.
360 security issue. For example, certificates that were intended to be EV, but
365 Certificate Transparency, by enforcing that newly-issued certificates are
377 Distributors of products that embed Chromium sources are encouraged to