Opened 7 years ago

Closed 7 years ago

#99 closed defect (fixed)

Clearer definition of when a certificate is CT-compliant needed

Reported by: eranm@… Owned by: melinda.shore@…
Priority: major Milestone: review
Component: rfc6962-bis Version:
Severity: - Keywords:


The current text in the "Including the Signed Certificate Timestamp in the TLS Handshake" has a few problems, particularly:
"The SCT data corresponding to at least one certificate in the chain
from at least one log must be included in the TLS handshake..."

  • The text should make a clear assertion that this is for a certificate to be considered CT-compliant.
  • The 'must' should be a MUST.
  • The text currently requires 'at least one certificate in the chain'. It does not require the SCTs to be for the leaf cert (although currently there's no way to indicate any of the non-embedded SCTs are for a certificate that's not the leaf certificate).

The text could be pivoted to indicate that any certificate in the chain accompanied by SCTs is considered CT-compliant.

Change History (4)

comment:1 Changed 7 years ago by eranm@…

  • Resolution set to needs-review
  • Status changed from new to closed

Propose this ticket be closed (Fixed) as the term 'compliant' is now used consistently throughout the text to mean 'compliant with the RFC'.
For example, see
"By validating SCTs, TLS clients can thus determine whether

certificates are compliant. A certificate not accompanied by a valid
SCT MUST NOT be considered compliant by TLS clients.".

comment:2 Changed 7 years ago by eranm@…

  • Resolution needs-review deleted
  • Status changed from closed to reopened

comment:3 Changed 7 years ago by eranm@…

  • Milestone set to review
  • Owner changed from eranm@… to melinda.shore@…
  • Status changed from reopened to new

comment:4 Changed 7 years ago by melinda.shore@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.