Opened 6 years ago

Closed 6 years ago

#150 closed enhancement (invalid)

Architecture document: Indicate missing SCT is equivalent to invalid one

Reported by: eranm@… Owned by: draft-ietf-trans-threat-analysis@…
Priority: major Milestone:
Component: threat-analysis Version:
Severity: - Keywords:
Cc:

Description

In section 2, in the part about TLS clients (browsers), append "or missing" to the last section so it reads "if the SCT is invalid or missing" - a CT-aware TLS client should treat both cases as equal.

Change History (2)

comment:1 Changed 6 years ago by kent@…

I don't think it appropriate to treat missing and invalid SCTs as equivalent. An invalid SCT violates the spec for SCT syntax or has a bad signature, and thus is a justification for rejecting a cert. We do not have a proposal for how to be backwards compatible and yet mandate SCTs for all web server sites, so we ought not treat a missing SCT as equivalent.

comment:2 Changed 6 years ago by eranm@…

  • Resolution set to invalid
  • Status changed from new to closed

Fair enough.

Note: See TracTickets for help on using tickets.