Warn if a well-known/"public" CA issues a certificate for a non-TLD

In preparation for new gTLDs being issued, begin phasing out the process of
permitting publicly-trusted, well-known CAs to issue certificates for names
that the CA cannot verify exclusive control over, such as "webmail" or
"intranet.corp".

Instead, require all publicly-trusted certificates be issued for domains that
chain to an ICANN-recognized root zone (registry controlled domain).

For certs that fail to meet this basic criteria, do not display the page as
secure, as an attacker may be able to go to another CA (or even the same CA
as the 'legitimate' site) and get a valid, publicly-trusted certificate for the
same name.

This does not cause an interstitial to be shown, but represents the first step
to phasing out the practice.

BUG=119212
TEST=[to be filled in]

Review URL: https://chromiumcodereview.appspot.com/15203007

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@200704 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 1 insertions, 1 deletions

diff --git a/net/cert/x509_certificate.cc b/net/cert/x509_certificate.cc
index 382be8e..1b431ce 100644
--- a/net/cert/x509_certificate.cc
+++ b/net/cert/x509_certificate.cc
@@ -22,7 +22,7 @@
 #include "base/strings/string_piece.h"
 #include "base/synchronization/lock.h"
 #include "base/time.h"
-#include "googleurl/src/url_canon_ip.h"
+#include "googleurl/src/url_canon.h"
 #include "net/base/net_util.h"
 #include "net/cert/pem_tokenizer.h"