summaryrefslogtreecommitdiff
path: root/chromium/net/docs/certificate-transparency.md
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/net/docs/certificate-transparency.md')
-rw-r--r--chromium/net/docs/certificate-transparency.md203
1 files changed, 203 insertions, 0 deletions
diff --git a/chromium/net/docs/certificate-transparency.md b/chromium/net/docs/certificate-transparency.md
new file mode 100644
index 00000000000..7f4b6a9130b
--- /dev/null
+++ b/chromium/net/docs/certificate-transparency.md
@@ -0,0 +1,203 @@
+# Certificate Transparency
+
+## Overview
+
+[Certificate Transparency](http://www.certificate-transparency.org/) (CT) is a
+protocol designed to fix several structural flaws in the SSL/TLS certificate
+ecosystem. Described by [RFC 6962](https://tools.ietf.org/html/rfc6962) and
+the ongoing work in [RFC 6962-bis](https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/),
+it provides a means of providing a public, append-only data structure that
+can log certificates issued by [certificate authorities](https://en.wikipedia.org/wiki/Certificate_authority) (CAs).
+By logging these certificates, it becomes possible for site operators to
+detect when a certificate may have been issued for their domain without their
+approval, and allows browsers and the wider ecosystem to verify that CAs are
+following their expected and disclosed practices.
+
+## Certificate Transparency Basics
+
+Broadly speaking, the goal of supporting Certificate Transparency is to ensure
+that certificates an application trusts will be publicly disclosed in a way
+sufficient for site operators and application developers to ensure that
+nothing is wrong.
+
+At the most basic level, it's possible to simply introduce Certificate
+Transparency logs as trusted third parties, much like CAs are trusted third
+parties. If the logs are operated by CAs, this may not be much of a security
+improvement, but if the logs are operated by non-CA entities, this might serve
+as a sufficient counter-balance to the risks.
+
+However, with more work, it's possible to minimize the trust afforded to
+Certificate Transparency logs, and to automatically and cryptographically
+verify they're complying with their stated policies. This can provide even
+greater assurance to application developers, site operators, and their users,
+that the security expected from certificates is actually being provided.
+
+For a more thorough threat analysis, see
+https://datatracker.ietf.org/doc/draft-ietf-trans-threat-analysis/ that
+discusses the different risks in Certificate Transparency, and how the
+protocol addresses them.
+
+## Certificate Transparency in `//net`
+
+A goal of `//net` is to try to ensure that code is 'safe by default' when
+used. As part of serving that goal, in order to make a TLS or QUIC connection
+using code in `//net`, it's necessary for the `//net` embedder to make
+a decision about Certificate Transparency, much like it is necessary to
+provide a [`CertVerifier`](/net/cert/cert_verifier.h) that describes how to
+verify the server's certificate.
+
+Because this is necessary to make a TLS or QUIC connection, this requirement
+surfaces upwards through each layer in the stack - applying to things like
+[`HttpNetworkSession`](/net/http/http_network_session.h) and upwards to
+[`URLRequestContext`](/net/url_request/url_request_context.h).
+
+This requirement is expressed by requiring two separate, but related, objects
+to be supplied: [`CTVerifier`](/net/cert/ct_verifier.h) and
+[`CTPolicyEnforcer`](/net/cert/ct_policy_enforcer.h), which together can be used
+to express an application's policies with respect to Certificate Transparency.
+
+As part of the goal of ensuring 'safe by default', `//net` also has various
+policies related to certificates issued by particular CAs whose past actions
+have created unnecessary security risk for TLS connections, and as a
+consequence, are required to have their certificates disclosed using
+Certificate Transparency in order to ensure that the security provided by
+these CAs matches the level of security and assurance that other CAs provide.
+These policies are implemented in
+[`TransportSecurityState`](/net/http/transport_security_state.cc), via the
+`ShouldRequireCT` method.
+
+### CTVerifier
+
+`CTVerifier` is the core interface for parsing and validating the structures
+defined in RFC6962 (or future versions), and for providing basic information
+about the [`SignedCertificateTimestamps`](https://tools.ietf.org/html/rfc6962#section-3.2)
+present within the connection.
+
+### CTPolicyEnforcer
+
+`CTPolicyEnforcer` is the core class for expressing an application's policies
+around how it expects Certificate Transparency to be used by the certificates
+it trusts and the CAs that issue these certificates.
+
+`CTPolicyEnforcer` currently expresses two policies:
+ * How to treat [Extended Validation](https://cabforum.org/extended-validation-2/)
+ certificates (those for which a [`CertVerifier`](/net/cert/cert_verifier.h)
+ returned `CERT_STATUS_IS_EV`).
+ * How to treat all certificates, regardless of EV status.
+
+### TransportSecurityState
+
+The `TransportSecurityState::ShouldRequireCT` method implements the core logic
+for determining whether or not a connection attempt should be rejected if it
+does not comply with an application's Certificate Transparency policy.
+
+The implementation in `//net` provides a default implementation that tries to
+ensure maximum security, by failing connections that do not abide by an
+application's Certificate Transparency policy and are from CAs known to have
+security issues in the past.
+
+Embedders can customize or override this by providing a
+`TransportSecurityState::RequireCTDelegate` implementation, which allows
+applications to inspect the connection information and determine whether
+Certificate Transparency should be required, should not be required, or
+whether the default logic in `//net` should be used.
+
+## Certificate Transparency in Chromium
+
+As part of the open-source implementation of Chrome, the policies related to
+how Chromium code treats Certificate Transparency are documented at
+https://www.chromium.org/Home/chromium-security/certificate-transparency . This
+page includes the policies for how Chromium determines an acceptable set of
+Certificate Transparency logs and what Certificate Transparency-related
+information is expected to accompany certificates, both for EV and non-EV.
+
+The implementation of these policies lives within [`//net/cert`](/net/cert), and
+includes:
+ * [`ct_known_logs.h`](/net/cert/ct_known_logs.h): The set of Certificate
+ Transparency logs known and qualified according to Chromium's
+ [Certificate Transparency Log Policy](https://www.chromium.org/Home/chromium-security/certificate-transparency/log-policy).
+ * [`multi_log_ct_verifier.h`](/net/cert/multi_log_ct_verifier.h): Capable of
+ parsing `SignedCertificateTimestamps` from a variety of logs and
+ validating their signatures, using the keys and information provided by
+ `ct_known_logs.h`.
+ * [`ct_policy_enforcer.h`](/net/cert/ct_policy_enforcer.h): A base class that
+ implements the Certificate Transparency in Chrome Policy, for both EV and
+ non-EV certificates.
+
+## Certificate Transparency for `//net` Consumers
+
+This section is intended for code that is open-sourced as part of the
+Chromium projects, intended to be included within Google Chrome, and which
+uses the `//net` APIs for purposes other than loading and rendering web
+content. Particularly, consumers of `//net` APIs that are communicating with
+a limited or defined set of endpoints and which don't use certificates issued
+by CAs. This may also include testing tools and utilities, as these are not
+generally shipped to users as part of Chrome.
+
+Not every TLS connection may need the security assurances that
+Certificate Transparency aims to provide. For example, some consumers of
+`//net` APIs in Chromium use mutual authentication with self-signed
+certificates and which are authenticated out-of-band. For these connections,
+Certificate Transparency is not relevant, and it's not necessary to parse
+or enforce Certificate Transparency related information.
+
+For these cases, the approach is:
+ * [`do_nothing_ct_verifier.h`](/net/cert/do_nothing_ct_verifier.h): A no-op
+ CTVerifier that does not parse or verify Certificate Transparency-related
+ information.
+ * A derived `CTPolicyEnforcer` implementation that indicates all
+ certificates comply with its policies.
+
+ **TODO(rsleevi):** Provide a `DoNothingCTPolicyEnforcer`
+
+As documented in these classes, care should be taken before using these, as
+they provide much weaker security guarantees. In general, emailing
+[net-dev@chromium.org](mailto:net-dev@chromium.org) or discussing it during a
+security review is the right answer, and documenting at the instantiation
+points why it is safe and acceptable to use these classes.
+
+## Certificate Transparency for `//net` Embedders
+
+This section is intended for code that is used in other open-source Chromium
+based projects, but are not included in Google Chrome or related. This
+includes projects based on `//net`, such as
+[`//components/cronet`](/components/cronet) or other
+[`//content`](/content) embedders.
+
+For projects and third party products that embed `//net`, the policies
+that are included as part of the open-source repository may not be
+appropriate. This is because the implementations may rely implicitly
+or explicitly on several key guarantees that come from Google-branded
+distributions and products, and may not be appropriate for other cases.
+
+These key expectations are:
+ * A release cycle aligned with Chrome releases; that is, every six weeks,
+ and on the same versions as Chrome releases.
+ * Widespread support for automatic updates.
+ * That [`base::GetBuildTime()`](/base/build_time.h) will reflect, to
+ some degree, when the tree was branched and/or released, and will not
+ be re-generated on recompilation. That is, this implies is_official_build
+ for binaries released to end-users, but is not enforced in code so that
+ developers can accurately test release behavior.
+ * Support for dynamic [`base::FieldTrial`](/base/metrics/field_trial.h)
+ configurations.
+
+For projects that don't support automatic updates, or which measure 'stable'
+on the order of months to years, or which don't have tools suitable to
+respond to changes in the Certificate Authority and Certificate Transparency
+ecosystem, it may not be appropriate to enable Certificate Transparency
+support yet.
+
+These issues are not unique or particular to Certificate Transparency - in
+many ways, they're similar to issues already faced with determining which
+CAs are trusted and how to successfully validate a TLS server's certificate.
+However, as the Certificate Transparency ecosystem is still growing, it may be
+suitable to disable support until some of the solutions to these challenges
+stablize.
+
+To opt-out of enforcing Certificate Transparency, using the `DoNothing`
+variants discussed above provides a suitable implementation that will opt to
+'fail open' instead. This may provide less security, but provides greater
+stability, and minimizes the risk that these `//net` embedding clients
+might cause to the Certificate Transparency ecosystem or receive from enabling
+Certificate Transparency.
View Lorry Controller Status