On 11 September 2014 11:56, Eran Messeri <[email protected]> wrote: > The poison extension is removed from the Precertificate prior to the log > producing an SCT over it, so a client never has to know about it. What the > TLS client has to do is to remove the "embedded SCTs" extension from the > certificate prior to validating the signature.
This does imply that the remaining extensions have to be in the same order in both precert and cert, I think? > > On Thu, Sep 11, 2014 at 11:40 AM, Erwann Abalea <[email protected]> wrote: >> >> Bonjour, >> >> It seems there's no constraint on the order of extensions in the final >> certificate regarding to the Precert. >> Won't it be problematic if the browser wants to validate the SCT >> signatures by constructing the Precert from the final certificate? Where >> should a CA add the poisonous extension? And the future "redactedlabels" >> extension (it has no name)? >> >> -- >> Erwann. >> >> _______________________________________________ >> Trans mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/trans >> > > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans > _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
