On 24/07/14 00:30, Eran Messeri wrote:
On Wed, Jul 23, 2014 at 11:11 PM, Stephen Kent wrote:
<snip>
In light of this, it seems that ticket 23 can be solved by specifying that TLS clients check all non-embedded SCTs against the end-entity certificate or the intermediate certificate with extension OID 1.3.6.1.4.1.11129.2.4.7.This statement isn't as clear as it needs to be, since it talks about what a client does for a non-embedded SCT. Does a TLS client check an SCT that it encounters embedded in a CA cert?That's the point - the current wording of RFC6962-bis says nothing about the client should be doing regarding SCTs embedded in non-EE certificates. My proposal is to say TLS clients SHOULD check SCTs against the EE certificate OR the intermediate with said extension OID.
There could be multiple intermediate certs containing said extension OID in the chain up to the root cert. There could even be multiple certificate chains from the EE cert to 1 or more root certs, and more than one of those chains could contain intermediate cert(s) with said extension OID!
What do you think about my alternative idea (see the comments on ticket 23)? -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
