Add an RSAKeyUsageForLocalAnchorsEnabled admin policy
We've long enforced this for known roots, ECDSA certs, and TLS 1.3. Only RSA cert + TLS 1.2 + unknown root is missing as an odd hold. It's time we do it across the board. This improves platform predictability by removing a weird corner case that people keep bumping into when they update to TLS 1.3 or ECDSA. In addition to helping protect against cross-protocol attacks, checking keyUsage allows servers to mark their certificates in a way that protects against a downgrade attack around cleartext CertificateRequest. For the first step here, add an admin policy to allow administrators to control it. For now, as the default is unenforced, the policy exists to allow admins to test the future behavior ahead of time. Later, it will allow admins who are behind to get a little more time. Bug: 795089 Change-Id: Id96fd89790fdf6743359e858f7780cf623cf6165 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4122911 Reviewed-by:Carlos IL <carlosil@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Reviewed-by:
Loading
Please register or sign in to comment