Codebase Browser
chromium
Go to App

chromium/components/policy/resources/templates/policy_definitions/Miscellaneous/CertificateTransparencyEnforcementDisabledForCas.yaml 

caption: Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo
  hashes
desc: |-
  Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hashes. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the hash must meet one of these conditions:

        * It's of the server certificate's <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph>.

        * It's of a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> that appears in a Certificate Authority (CA) certificate in the certificate chain. That CA certificate is constrained through the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName has an organizationName attribute.

        * It's of a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate has the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.

        Specify a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash by linking the hash algorithm name, a slash, and the Base64 encoding of that hash algorithm applied to the DER-encoded <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.

        Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't trust those certificates.
example_value:
- sha256/AAAAAAAAAAAAAAAAAAAAAA==
- sha256//////////////////////w==
features:
  dynamic_refresh: true
  per_profile: true
future_on:
- fuchsia
owners:
- file://components/certificate_transparency/OWNERS
- [email protected]
schema:
  items:
    type: string
  type: array
supported_on:
- chrome.*:67-
- chrome_os:67-
- android:67-
tags:
- system-security
type: list