Warn if a well-known/"public" CA issues a certificate for a non-TLD

Warn if a well-known/"public" CA issues a certificate for a non-TLD

In preparation for new gTLDs being issued, begin phasing out the process of
permitting publicly-trusted, well-known CAs to issue certificates for names
that the CA cannot verify exclusive control over, such as "webmail" or
"intranet.corp".

Instead, require all publicly-trusted certificates be issued for domains that
chain to an ICANN-recognized root zone (registry controlled domain).

For certs that fail to meet this basic criteria, do not display the page as
secure, as an attacker may be able to go to another CA (or even the same CA
as the 'legitimate' site) and get a valid, publicly-trusted certificate for the
same name.

This does not cause an interstitial to be shown, but represents the first step
to phasing out the practice.

BUG=119212
TEST=[to be filled in]

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=200704

[Ryan Sleevi, 2013-05-16 02:45:46]

agl: This one's a bit charged, so I'll let you take the review.

palmer: Merry Christmas.

[Ryan Sleevi, 2013-05-16 02:59:01]

also +cc felt, in the event this biases any of the interstitial tests (even
though this does not result in an interstitial)

[felt, 2013-05-16 05:21:38]

Hi Ryan, to make sure I understand-- this will change what the URL looks like in
the omnibox? (But won't trigger any extra interstitials.)

On 2013/05/16 02:59:01, Ryan Sleevi wrote:
> also +cc felt, in the event this biases any of the interstitial tests (even
> though this does not result in an interstitial)

[Ryan Sleevi, 2013-05-16 05:22:47]

Correct.
On May 15, 2013 10:21 PM, <felt@chromium.org> wrote:

> Hi Ryan, to make sure I understand-- this will change what the URL looks
> like in
> the omnibox? (But won't trigger any extra interstitials.)
>
> On 2013/05/16 02:59:01, Ryan Sleevi wrote:
>
>> also +cc felt, in the event this biases any of the interstitial tests
>> (even
>> though this does not result in an interstitial)
>>
>
>
>
>
https://codereview.chromium.**org/15203007/<https://codereview.chromium.org/1...
>

[felt, 2013-05-16 05:23:30]

Thanks for the heads up.

On 2013/05/16 05:22:47, Ryan Sleevi wrote:
> Correct.
> On May 15, 2013 10:21 PM, <mailto:felt@chromium.org> wrote:
> 
> > Hi Ryan, to make sure I understand-- this will change what the URL looks
> > like in
> > the omnibox? (But won't trigger any extra interstitials.)
> >
> > On 2013/05/16 02:59:01, Ryan Sleevi wrote:
> >
> >> also +cc felt, in the event this biases any of the interstitial tests
> >> (even
> >> though this does not result in an interstitial)
> >>
> >
> >
> >
> >
>
https://codereview.chromium.**org/15203007/%3Chttps://codereview.chromium.org...>
> >

[agl, 2013-05-16 16:33:29]

lgtm

https://codereview.chromium.org/15203007/diff/1/net/cert/cert_verify_proc_uni...
File net/cert/cert_verify_proc_unittest.cc (right):

https://codereview.chromium.org/15203007/diff/1/net/cert/cert_verify_proc_uni...
net/cert/cert_verify_proc_unittest.cc:69: bool is_well_known_;
nit: const

[palmer, 2013-05-16 17:50:55]

Thank you, Santa! LGTM.

[Ryan Sleevi, 2013-05-16 19:57:13]

So I realized this morning that there were no tests for IP addresses - and it
turns out, they weren't being handled properly.

Since this substantially changes the CL (in order to make it more test
friendly), mind taking a relook. Please let me know if there's any additional
tests you think should be added.

[agl, 2013-05-16 20:08:25]

lgtm

https://codereview.chromium.org/15203007/diff/10001/net/cert/cert_verify_proc.h
File net/cert/cert_verify_proc.h (right):

https://codereview.chromium.org/15203007/diff/10001/net/cert/cert_verify_proc...
net/cert/cert_verify_proc.h:97: // While such names are not scheduled to be
deprecated as of 1 November 2015
s/as of/until/?

https://codereview.chromium.org/15203007/diff/10001/net/cert/cert_verify_proc...
File net/cert/cert_verify_proc_unittest.cc (right):

https://codereview.chromium.org/15203007/diff/10001/net/cert/cert_verify_proc...
net/cert/cert_verify_proc_unittest.cc:1176: // "Intanet" domains
Intra

[commit-bot: I haz the power, 2013-05-16 20:59:52]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/rsleevi@chromium.org/15203007/18001

[commit-bot: I haz the power, 2013-05-16 21:30:10]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/rsleevi@chromium.org/15203007/32001

[commit-bot: I haz the power, 2013-05-17 02:09:12]

Change committed as 200704