Google Chrome: contstraint based CA distrust

[lukastribus]

Hello,

Google Chrome implements constrain based CA distrust:

https://source.chromium.org/chromium/chromium/src/+/main:net/cert/root_store.proto;drc=a783c3bab474ff68e675e2753f91c92ca817e072;l=15?q=f:root_store.proto&ss=chromium

which will be used to distrust Entrust Root CA for certificates whose earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024 (GMT) :

https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html
https://groups.google.com/a/ccadb.org/g/public/c/29CRLOPM6OM/m/-tvW5l-lAAAJ?pli=1

Not exactly sure what can be done here by check_ssl_cert.

Replicating the Chrome Feature as-is is probably very complex.
Simply blacklisting certain CA's perhaps?
Or perhaps this should be considered out of scope?

Thanks,
Lukas

[matteocorti]

Hi Lukas

If I understand correctly Chrome will complain for all "Entrust"-signed certificates with STC after October 31.

It would be nice to warn the user that the certificate will not be trusted by Chrome. If this is worth a CRITICAL warning is an open question. I could issue a CRITICAL and provide an option to ignore the issue. Or add an option to check for Entrust certificates.

What is your option?

Matteo

[lukastribus]

I could issue a CRITICAL and provide an option to ignore the issue.

Yes, I think either CRITICAL or WARNING would be fine by default.

Just optionally checking for this via opt-in is probably not sufficient because the point is that the user may not know about it beforehand.