Opened 7 years ago

Closed 7 years ago

#46 closed enhancement (fixed)

Provide explicit instructions for how log servers should handle already-logged certs

Reported by: rick_andrews@… Owned by: draft-ietf-trans-rfc6962-bis@…
Priority: major Milestone: milestone1
Component: rfc6962-bis Version: 1.0
Severity: - Keywords:


Let’s say I’ve issued a cert and embedded the SCTs in the cert. Now I (or someone else) send the cert to log servers using the add-chain command. What happens? Should the log server see if one of the SCTs is from itself, and if so just return that SCT? Or should it generate a new SCT?

Rob Stradling helped me understand that the SCTs in the cert would have a "entry_type" of "precert_entry", so the log server shouldn’t just return that. Instead, it seems that it should create a new SCT with an "entry_type" of "x509_entry". But it’s worth clarifying that this new SCT would contain a hash over the entire cert, including the existing SCTs, even if one of those embedded SCTs originated from that same log server.

Eran said: ""Good point - it's completely valid to send a certificate with embedded SCT from one log as an x509_entry certificate to other logs to obtain additional SCTs. The RFC should be explicit about this situation."

Change History (1)

comment:1 Changed 7 years ago by benl@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.