Hi Felix, On Wed, 1 May 2024 10:18:17 -0700 (PDT) Felix Linker <[email protected]> wrote:
> Hi everyone, > > I encountered an oddity with an inclusion of a certificate of mine in > a CT log. Namely, I would like to check the inclusion of this > certificate (https://crt.sh/?id=12905498367) in the Yeti 2024 log. It > should be included in that log because there is an SCT from that log. > > If I query for the certificate's hash at the log (hash computed using > my code), the log returns a leaf > index: > https://yeti2024.ct.digicert.com/log/ct/v1/get-proof-by-hash?hash=MGjihrSBitsZpxw3LNGIdA7SMKEWdDSp7i0r8WoO1zw=&tree_size=879757777 > > However, when I use that leaf index to query for the certificate (and > its proof) the response is "Not > Found": > https://yeti2024.ct.digicert.com/log/ct/v1/get-entry-and-proof?leaf_index=878032114&tree_size=879757777 > > I presume, the log is still auditable because it returns a proof of > inclusion by the certificate's hash. However, I would expect the > latter query to not fail. Am I missing something? These queries > succeed for the other SCT of the certificate. The get-entry-and-proof endpoint is effectively optional. RFC 6962 says "this API is probably only useful for debugging", which led some log operators to omit support for it, and no browser operator has mandated support for it (yet). You should be able to obtain this log entry using the get-entries endpoint instead. (By the way, the best mailing list for issues about browser-recognized CT logs is https://groups.google.com/a/chromium.org/g/ct-policy) Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20240502182937.06f1dfd94838481bb5939e4f%40andrewayer.name.
