#127: confusing case is allowed: submission of pre-cert without embedding SCT in issued cert
Comment (by [email protected]): At first glance I would tend to agree there's not much point intentionally submitting a pre-certificate and not embedding the resulting SCT, however in practice I can see cases where this would happen for operational reasons. Let's say a CA submits a precertificate to 6 logs in parallel, and then waits until they get enough SCTs back to meet the minimums per Chrome's EV CT policy. Maybe one of the logs is performing badly and takes too long to respond, but then does respond with a valid SCT, or maybe a log responds but the network connection is broken such that the CA never receives the response. In this scenario the CA has enough SCTs, so it embeds them in a certificate and issues it. If the MAY was a MUST, it would imply that a CA is in error if they don't embed an SCT and I don't think that makes sense in this case. -- -------------------------+------------------------------------------------- Reporter: | Owner: draft-ietf-trans- [email protected] | [email protected] Type: enhancement | Status: new Priority: major | Milestone: Component: rfc6962-bis | Version: Severity: - | Resolution: Keywords: | -------------------------+------------------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/127#comment:1> trans <http://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
