On 2015-11-26 10:38, Dmitry Belyavsky wrote:
Does it make sense to specify behaviour for the case when some of
SCTs delivered to the browser are incorrect (do not match the log
key,
the cert, etc)?
I've quoted two sentences from the draft below. I think [0] adequately
describes what to do if some of the SCTs don't match the browser's
metadata, and [1] described what to do if any of the SCTs match the
metadata but fail validation. Is there another case that the draft is
missing? Or is there a way we could make the draft more clear?
[0] If no metadata for
the log is available to the browser, the SCT is ignored.
[1] If an SCT is conveyed for a TLS server in any of the ways noted
above and it fails validation, the browser MUST consider the
certificate for the server to be invalid and proceed accordingly.
--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
