components/policy/resources/templates/policy_definitions/Miscellaneous/EnforceLocalAnchorConstraintsEnabled.yaml - chromium/src - Git at Google

 caption: Determines whether the built-in certificate verifier
   will enforce constraints encoded into trust anchors loaded from the platform
   trust store.
 default: true
 desc: |-
   X.509 certificates may encode constraints, such as Name Constraints,
   in extensions in the certificate. RFC 5280 specifies that enforcing such
   constraints on trust anchor certificates is optional. Starting in
   <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 112, such constraints
   in certificates loaded from the platform certificate store will now be
   enforced.

   This policy exists as a temporary opt-out in case an enterprise encounters
   issues with the constraints encoded in their private roots. In that case this
   policy may be used to temporarily disable enforcement of the constraints
   while correcting the certificate issues.

   When this policy is not set, or is set to enabled,
   <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will enforce
   constraints encoded into trust anchors loaded from the platform trust store.

   When this policy is set to disabled,
   <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not enforce
   constraints encoded into trust anchors loaded from the platform trust store.

   This policy has no effect if the
   <ph name="CHROME_ROOT_STORE_ENABLED_POLICY_NAME">ChromeRootStoreEnabled</ph>
   policy is disabled.

   This policy is planned to be removed in
   <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 115.

 example_value: false
 features:
   dynamic_refresh: true
   per_profile: false
 items:
 - caption: Enforce constraints in locally added trust anchors
   value: true
 - caption: Do not enforce constraints in locally added trust anchors
   value: false
 owners:
 - mattm@chromium.org
 - file://net/cert/OWNERS
 schema:
   type: boolean
 supported_on:
 - chrome.win:112-
 - chrome.mac:112-
 - chrome.linux:112-
 - chrome_os:112-
 future_on:
 - android
 tags: []
 type: main
	caption: Determines whether the built-in certificate verifier
	will enforce constraints encoded into trust anchors loaded from the platform
	trust store.
	default: true
	desc: \|-
	X.509 certificates may encode constraints, such as Name Constraints,
	in extensions in the certificate. RFC 5280 specifies that enforcing such
	constraints on trust anchor certificates is optional. Starting in
	<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 112, such constraints
	in certificates loaded from the platform certificate store will now be
	enforced.

	This policy exists as a temporary opt-out in case an enterprise encounters
	issues with the constraints encoded in their private roots. In that case this
	policy may be used to temporarily disable enforcement of the constraints
	while correcting the certificate issues.

	When this policy is not set, or is set to enabled,
	<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will enforce
	constraints encoded into trust anchors loaded from the platform trust store.

	When this policy is set to disabled,
	<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not enforce
	constraints encoded into trust anchors loaded from the platform trust store.

	This policy has no effect if the
	<ph name="CHROME_ROOT_STORE_ENABLED_POLICY_NAME">ChromeRootStoreEnabled</ph>
	policy is disabled.

	This policy is planned to be removed in
	<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 115.

	example_value: false
	features:
	dynamic_refresh: true
	per_profile: false
	items:
	- caption: Enforce constraints in locally added trust anchors
	value: true
	- caption: Do not enforce constraints in locally added trust anchors
	value: false
	owners:
	- mattm@chromium.org
	- file://net/cert/OWNERS
	schema:
	type: boolean
	supported_on:
	- chrome.win:112-
	- chrome.mac:112-
	- chrome.linux:112-
	- chrome_os:112-
	future_on:
	- android
	tags: []
	type: main