xref: /aosp_15_r20/external/cronet/net/data/ssl/symantec/README.md (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b) 
1# Symantec Certificates
2
3This directory contains the set of known active and legacy root certificates
4that were operated by Symantec Corporation. In order for certificates issued
5from these roots to be trusted, it is required that they comply with the
6policies outlined at <https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html>.
7
8The exceptions to this are:
9  * Pre-existing independently operated sub-CAs, whose keys were and are not
10    controled by Symantec and which maintain current and appropriate audits.
11  * The set of Managed CAs in accordance with the above policies.
12
13In addition to the above, no changes exist from the Certificate Transparency
14requirement outlined at <https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html>
15
16## Implementation Details
17
18Policies related to these certificates are based on the hash of the
19subjectPublicKeyInfo, rather than of the certificate, and without considering
20the Subject Distinguished Name.
21
22The choice of using subjectPublicKeyInfo is two-fold:
23
24* If there are any concerns with the how the key material has been protected,
25  those concerns apply to all subject names, not just the known subject names.
26  By limiting trust in the SPKI, the underlying issue is addressed. This also
27  helps address any concerns with potential cross-signs in the future, as has
28  been seen in past CA remediation efforts.
29* Simultaneously, if there are no concerns with the SPKI, such as due to being
30  on the exclusions list, then we want to ensure ecosystem flexibility in the
31  event that the certificates themselves need to be reissued. The most likely
32  cause for reissusance of Excluded Sub-CAs may be presumed to be either
33  expiration or due to wanting to add additional extensions (such as to reduce
34  the scope of issuance). To avoid unduly limiting the ecosystem flexibility
35  in the event of those changes, excluding by SPKI allows for some limited
36  agility, while being grounded in the objective evaluation of the key and how
37  the key material has been operated and protected. In the context of Managed
38  CAs, this ensures that additional (effectively cross-signed) versions of the
39  Managed Partner Infrastructure can be introduced as needed, while ensuring no
40  additional code changes or updates are necessary.
41
42Thus, identifying 'roots' (which may appear anywhere in the chain) by SPKI help
43ensure the appropriate restrictions are applied, regardless of cross-signs or
44self-signed variations, while identifying 'exclusions' by SPKI helps ensure the
45necessary flexibility to respond to ecosystem changes.
46
47## Roots
48
49The full set of roots are in the [roots/](roots/) directory, organized by
50SHA-256 hash of the certificate file.
51
52The following command can be used to match certificates and their key hashes:
53
54`` for f in roots/*.pem; do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; echo "0x${digest} ${f##*/}"; done | sort ``
55
56## Excluded Sub-CAs
57
58### Apple
59
60[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1917)
61[Certification Practices Statement](http://images.apple.com/certificateauthority/pdf/Apple_IST_CPS_v2.0.pdf)
62
63  * [17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem](excluded/17f96609ac6ad0a2d6ab0a21b2d1b5b2946bd04dbf120703d1def6fb62f4b661.pem)
64  * [3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem](excluded/3db76d1dd7d3a759dccc3f8fa7f68675c080cb095e4881063a6b850fdd68b8bc.pem)
65  * [6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem](excluded/6115f06a338a649e61585210e76f2ece3989bca65a62b066040cd7c5f408edd0.pem)
66  * [904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem](excluded/904fb5a437754b1b32b80ebae7416db63d05f56a9939720b7c8e3dcc54f6a3d1.pem)
67  * [ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem](excluded/ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b.pem)
68  * [a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed.pem](excluded/a4fe7c7f15155f3f0aef7aaa83cf6e06deb97ca3f909df920ac1490882d488ed.pem)
69
70### DigiCert
71
72[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=2228)
73[Certification Practices Statement](https://www.digicert.com/CPS)
74
75  * [8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem](excluded/8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26.pem)
76  * [b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem](excluded/b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97.pem)
77
78### Google
79
80[WebTrust Audit](https://cert.webtrust.org/ViewSeal?id=1941)
81[Certification Practices Statement](http://static.googleusercontent.com/media/pki.google.com/en//GIAG2-CPS-1.3.pdf)
82
83  * [c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem](excluded/c3f697a92a293d86f9a3ee7ccb970e20e0050b8728cc83ed1b996ce9005d4c36.pem)
84
85## Excluded Managed CAs
86
87### DigiCert
88
89  * [7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem](managed/7cac9a0ff315387750ba8bafdb1c2bc29b3f0bba16362ca93a90f84da2df5f3e.pem)
90  * [ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem](managed/ac50b5fb738aed6cb781cc35fbfff7786f77109ada7c08867c04a573fd5cf9ee.pem)
91