From ff35321f8eb52f5f6ae54a89a07a0c729854e548 Mon Sep 17 00:00:00 2001 From: "rsleevi@chromium.org" Date: Fri, 17 May 2013 02:09:08 +0000 Subject: Warn if a well-known/"public" CA issues a certificate for a non-TLD In preparation for new gTLDs being issued, begin phasing out the process of permitting publicly-trusted, well-known CAs to issue certificates for names that the CA cannot verify exclusive control over, such as "webmail" or "intranet.corp". Instead, require all publicly-trusted certificates be issued for domains that chain to an ICANN-recognized root zone (registry controlled domain). For certs that fail to meet this basic criteria, do not display the page as secure, as an attacker may be able to go to another CA (or even the same CA as the 'legitimate' site) and get a valid, publicly-trusted certificate for the same name. This does not cause an interstitial to be shown, but represents the first step to phasing out the practice. BUG=119212 TEST=[to be filled in] Review URL: https://chromiumcodereview.appspot.com/15203007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@200704 0039d316-1c4b-4281-b951-d872f2087c98 --- net/cert/x509_certificate.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net/cert/x509_certificate.cc') diff --git a/net/cert/x509_certificate.cc b/net/cert/x509_certificate.cc index 382be8e..1b431ce 100644 --- a/net/cert/x509_certificate.cc +++ b/net/cert/x509_certificate.cc @@ -22,7 +22,7 @@ #include "base/strings/string_piece.h" #include "base/synchronization/lock.h" #include "base/time.h" -#include "googleurl/src/url_canon_ip.h" +#include "googleurl/src/url_canon.h" #include "net/base/net_util.h" #include "net/cert/pem_tokenizer.h" -- cgit v1.1