Hi Andrew, 1. Are SCTs from any log accepted, or only logs that are > Qualified/Usable/Readonly?
The latter. We’re relying only on SCTs from logs considered trusted in Chrome (i.e., Qualified/Usable/Readonly). 2. I'm curious if you or anyone else is aware of efforts to audit CT log > entries for backdated timestamps? We’re not aware of any existing efforts to actively detect backdated timestamps. It might be worth also exploring this question with [email protected]. Thank you -Chris On Fri, May 24, 2024 at 11:53 AM Andrew Ayer <[email protected]> wrote: > Hi Chris, > > It's excellent to see action being taken against this unsafe CA. > > Regarding SCT-based enforcement, I have a couple questions: > > 1. Are SCTs from any log accepted, or only logs that are > Qualified/Usable/Readonly? > > 2. I'm curious if you or anyone else is aware of efforts to audit > CT log entries for backdated timestamps? Since backdated timestamps > have never been security-critical before now, SSLMate's monitor does > not currently do any such auditing, and will not detect an SCT with a > backdated timestamp as long as the log entry has been incorporated by > the time the SCT is observed. I will be adding some checks as soon as > possible, and I'm wondering if anyone has ideas for how it should > work. (My current idea is to keep track of the log's largest entry > timestamp, and raise an error if a subsequent entry is found with a > timestamp that is earlier than the largest timestamp minus the MMD.) > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAAbw9mAiym_0DO2L1owXmANB4rr1aW55hsMFAEW6hC01jNm3iw%40mail.gmail.com.
