Hi Yann, Our team continues to make preparations to launch the Chrome Root Store later this year. What you observe in the commit history is a set of changes that update the format and collection of initial root CAs targeted for inclusion in the Chrome Root Store, summarized below.
Recent updates: - removing CA certificates whose corresponding CA operator has requested their removal (described further in 1 <https://bugzilla.mozilla.org/show_bug.cgi?id=1759815> and 2 <https://bugzilla.mozilla.org/show_bug.cgi?id=1684158>) - adding CA certificates for CAs that satisfy the criteria outlined in our existing <https://www.chromium.org/Home/chromium-security/root-ca-policy/> policy - replacing existing CA certificates with the most recent versions (due to certificate modification) Expect to see additional updates in the coming weeks and months as we prepare for launch. To be clear, none of the removals you observed are distrust events. Regarding your interest in increased transparency, we’re working to address your concern. But first, we’re focused on completing our engineering efforts related to the Chrome Certificate Verifier and the Chrome Root Store (observed above), finalizing updates to our policies, defining our application process, and integrating our program and corresponding root store with CCADB. For any questions related to the Chrome Root Program in the meantime - please feel free to email us at [email protected]. Thanks, Ryan On Thu, Apr 7, 2022 at 12:42 PM Yann Droneaud <[email protected]> wrote: > (sorry it's probably not the correct mailing list to bring this issue) > > Hi, > > I'm following the changes made on chromium sources on the root store : > > > https://chromium.googlesource.com/chromium/src.git/+log/refs/heads/main/net/data/ssl/chrome_root_store > > 1. ccb8b9d > < > https://chromium.googlesource.com/chromium/src.git/+/ccb8b9d1c624f73c0a547aebf9a57280bef30fe1 > > > Automatic update from google3 > < > https://chromium.googlesource.com/chromium/src.git/+/ccb8b9d1c624f73c0a547aebf9a57280bef30fe1 > > > by CT Log list updates bot · 2 days ago > 2. adce2c1 > < > https://chromium.googlesource.com/chromium/src.git/+/adce2c112ae3a4cfdfdd1f2b222f3cc99b3c0179 > > > Automatic update from google3 > < > https://chromium.googlesource.com/chromium/src.git/+/adce2c112ae3a4cfdfdd1f2b222f3cc99b3c0179 > > > by CT Log list updates bot · 6 days ago > 3. e88918b5 > < > https://chromium.googlesource.com/chromium/src.git/+/e88918b508d19a6434ef0e01790e04c391cf1935 > > > Automatic update from google3 > < > https://chromium.googlesource.com/chromium/src.git/+/e88918b508d19a6434ef0e01790e04c391cf1935 > > > by CT Log list updates bot · 7 days ago > 4. 70c5ff7 > < > https://chromium.googlesource.com/chromium/src.git/+/70c5ff7005040b405ee6abb0af8db6d15ade9561 > > > Automatic update from google3 > < > https://chromium.googlesource.com/chromium/src.git/+/70c5ff7005040b405ee6abb0af8db6d15ade9561 > > > by CT Log list updates bot · 6 weeks ago > 5. 8f37729 > < > https://chromium.googlesource.com/chromium/src.git/+/8f377296a7a0a23a007a9178465c0f276e45114d > > > Add OWNERS file to allow bot updates of root_store files. > < > https://chromium.googlesource.com/chromium/src.git/+/8f377296a7a0a23a007a9178465c0f276e45114d > > > by Hubert Chao · 7 weeks ago > 6. 0eadd64 > < > https://chromium.googlesource.com/chromium/src.git/+/0eadd64b82cfd8455589b1076e114a1467f0f751 > > > Keep all the certificates in the root store in a single file > < > https://chromium.googlesource.com/chromium/src.git/+/0eadd64b82cfd8455589b1076e114a1467f0f751 > > > by David Benjamin · 7 weeks ago > 7. c93e561 > < > https://chromium.googlesource.com/chromium/src.git/+/c93e561dfed48cc1b783da31d895c999ea645c30 > > > Merge ev_store_tool and root_store_tool to use the same code gen > tool, > < > https://chromium.googlesource.com/chromium/src.git/+/c93e561dfed48cc1b783da31d895c999ea645c30 > > > by Hubert Chao · 3 months ago > 8. e8de2ff > < > https://chromium.googlesource.com/chromium/src.git/+/e8de2ffc0a338aae082459f50cb4c0b3b993c5cd > > > root_store_tool: Write a depfile to avoid manually listing indirect > dependencies > < > https://chromium.googlesource.com/chromium/src.git/+/e8de2ffc0a338aae082459f50cb4c0b3b993c5cd > > > by David Benjamin · 3 months ago > 9. babf00e > < > https://chromium.googlesource.com/chromium/src.git/+/babf00e7c4f702bd3faac5741d2a6545b4377110 > > > Remove 3 expired roots from chrome root store and 2 roots that are > < > https://chromium.googlesource.com/chromium/src.git/+/babf00e7c4f702bd3faac5741d2a6545b4377110 > > > by Hubert Chao · 4 months ago > 10. 02ed30b3 > < > https://chromium.googlesource.com/chromium/src.git/+/02ed30b3d019f90006a4cfb3961604b09f93a165 > > > Adjust Chrome Root Store code generation tool to allow for relative > paths to be handled correctly. > < > https://chromium.googlesource.com/chromium/src.git/+/02ed30b3d019f90006a4cfb3961604b09f93a165 > > > by Hubert Chao · 7 months ago > 11. 45ba98fa > < > https://chromium.googlesource.com/chromium/src.git/+/45ba98fa54bc776d80c63693d0dc615b3fa45e88 > > > Fix chrome root store codegen for cross-compile builds. > < > https://chromium.googlesource.com/chromium/src.git/+/45ba98fa54bc776d80c63693d0dc615b3fa45e88 > > > by Hubert Chao · 7 months ago > 12. a98de1c6 > < > https://chromium.googlesource.com/chromium/src.git/+/a98de1c6b2e34feb941b7d81be25375fb41786da > > > Switch directory structure for Chrome Root Store data to be simpler, > and change the root_store_tool to match. > < > https://chromium.googlesource.com/chromium/src.git/+/a98de1c6b2e34feb941b7d81be25375fb41786da > > > by Hubert Chao · 9 months ago > 13. 7c39043 > < > https://chromium.googlesource.com/chromium/src.git/+/7c390438e040808f75fe5e16f9b4fad98385ed54 > > > Add Chrome Trust Store to net/cert/internals, plumb it through to > < > https://chromium.googlesource.com/chromium/src.git/+/7c390438e040808f75fe5e16f9b4fad98385ed54 > > > by Hubert Chao · 9 months ago > 14. 14a7cc8 > < > https://chromium.googlesource.com/chromium/src.git/+/14a7cc85742483f071b7e3f9e6d45d1161d075e5 > > > Add C++ include generation to root_store_tool, build-flag guarded. > < > https://chromium.googlesource.com/chromium/src.git/+/14a7cc85742483f071b7e3f9e6d45d1161d075e5 > > > by Hubert Chao · 10 months ago > 15. caa2438 > < > https://chromium.googlesource.com/chromium/src.git/+/caa2438f516fe141607e5f76dd10b03ccf2451e7 > > > Chrome root store: PEM files and skeleton of codegen tool > < > https://chromium.googlesource.com/chromium/src.git/+/caa2438f516fe141607e5f76dd10b03ccf2451e7 > > > by Hubert Chao · 10 months ago > > It's a pity the recent changes adding/removing some certificates have > the rather unuseful commit message: "Automatic update from google3". > > It's looking a bit opaque from my point of view, especially when > compared with Mozilla's root store updates. > > https://g.co/chrome/root-policy doesn't gives any hint, but is there any > public mailing list where CA addition/removal are discussed before being > checked in google3 ? > > Regards. > > -- > > Yann Droneaud > > OPTEYA > > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/8c0ccf7f-1bde-21a4-d6c2-c110a50819e0%40opteya.com > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADEW5O-7yyi6Mcxv0sMMwuNMtEHovG%3DFMfb4U96k23BKMQqrHw%40mail.gmail.com.
