caption: Disable Certificate Transparency enforcement for a list of Legacy Certificate
Authorities
desc: |-
Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of Legacy Certificate Authorities (CA) for certificate chains with a specified <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash must appear in a CA certificate recognized as a Legacy CA. A Legacy CA is publicly trusted by one or more operating systems supported by <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph>, but not Android Open Source Project or <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>.
Specify a <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> hash by linking the hash algorithm name, a slash and the Base64 encoding of that hash algorithm applied to the DER-encoded <ph name="SUBJECT_PUBLIC_KEY_INFO">subjectPublicKeyInfo</ph> of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.
Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> doesn't trust those certificates.
This policy was removed in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 128.
example_value:
- sha256/AAAAAAAAAAAAAAAAAAAAAA==
- sha256//////////////////////w==
features:
dynamic_refresh: true
per_profile: true
owners:
- file://components/certificate_transparency/OWNERS
- [email protected]
schema:
items:
type: string
type: array
deprecated: true
supported_on:
- chrome.*:67-127
- chrome_os:67-127
- android:67-127
tags:
- system-security
type: list
Codebase Browser
chromium