On 06/01/2015 03:19 PM, Ben Laurie wrote: > On 29 May 2015 at 14:51, Ondrej Mikle <[email protected]> wrote: >> >> what should be the LogEntryType for SCTs in case of SCTs sent in TLS >> extension? I think it's missing in section 3.4.1 in 6962-bis (sections >> 3.4.2.1 and 3.4.2.2 specify it). By looking at the reference CT client >> it seems that it is expected to be "x509_entry" (in >> CertSubmissionHandler::X509ChainToEntry). > > Not sure there's any need to require particular types for SCTs. In > practice, an SCT included in an X509v3 extension has to be a > precertificate SCT, of course. But in other contexts it could be > either type - though it would obviously be expected that for OCSP and > TLS extensions it would be an x509_entry, there's no reason I can see > to force this choice.
Unless it's explicitly specified, the code has to try both variants (precert_entry and x509_entry) to see which one would match the signature. At least I thought that was the reason LogEntryType was explicitly specified for OCSP extension and certificate extension in 6962-bis (and was wondering why explicit LogEntryType was missing in for TLS extension). Ondrej _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
