DescriptionWarn if a well-known/"public" CA issues a certificate for a non-TLD
In preparation for new gTLDs being issued, begin phasing out the process of
permitting publicly-trusted, well-known CAs to issue certificates for names
that the CA cannot verify exclusive control over, such as "webmail" or
"intranet.corp".
Instead, require all publicly-trusted certificates be issued for domains that
chain to an ICANN-recognized root zone (registry controlled domain).
For certs that fail to meet this basic criteria, do not display the page as
secure, as an attacker may be able to go to another CA (or even the same CA
as the 'legitimate' site) and get a valid, publicly-trusted certificate for the
same name.
This does not cause an interstitial to be shown, but represents the first step
to phasing out the practice.
BUG=119212
TEST=[to be filled in]
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=200704
Patch Set 1 #
Total comments: 1
Patch Set 2 : Now with less fail #
Total comments: 2
Patch Set 3 : Comment tweaks #Patch Set 4 : comment tweak #Patch Set 5 : Make MSVC's swap impl happy #
Messages
Total messages: 12 (0 generated)
|