Google Chrome: contstraint based distrust #967
Labels
Comments
|
Hi @lukastribus Thanks a lot for sharing the resources for the approach followed by Google. As I read through it if we remove the said Root CAs from trust store then there will be false positive result for certificates issued before 31st October 2024 hence we will come up with the said approach mentioned by Google in https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html Regards, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
Google Chrome implements constrain based CA distrust:
https://source.chromium.org/chromium/chromium/src/+/main:net/cert/root_store.proto;drc=a783c3bab474ff68e675e2753f91c92ca817e072;l=15?q=f:root_store.proto&ss=chromium
which will be used to distrust Entrust Root CA for certificates whose earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024 (GMT) :
https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html
https://groups.google.com/a/ccadb.org/g/public/c/29CRLOPM6OM/m/-tvW5l-lAAAJ?pli=1
For ssltest I assume it's easier to just remove the Entrust root than it is to implement the same feature.
Thanks in advance
The text was updated successfully, but these errors were encountered: