The poison extension is removed from the Precertificate prior to the log producing an SCT over it, so a client never has to know about it. What the TLS client has to do is to remove the "embedded SCTs" extension from the certificate prior to validating the signature.
On Thu, Sep 11, 2014 at 11:40 AM, Erwann Abalea <[email protected]> wrote: > Bonjour, > > It seems there's no constraint on the order of extensions in the final > certificate regarding to the Precert. > Won't it be problematic if the browser wants to validate the SCT > signatures by constructing the Precert from the final certificate? Where > should a CA add the poisonous extension? And the future "redactedlabels" > extension (it has no name)? > > -- > Erwann. > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans > >
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
