#23: How can TLS clients match an SCT to a certificate?
Comment (by [email protected]): Capturing offline discussion with Rob: * The ItemExtension field may be redundant given new TransItems can be defined that refer to other TransItems to provide metadata. * Given that name-constrained intermediates that are logged instead of leaf certificates are easily identifiable by a non-critical extension, providing the metadata indicating which certificate the SCT refers to may be an overkill: A client can try to verify the SCT on the leaf certificate, if the signature does not validate it should traverse the cert chain until it finds such an intermediate, then validate the SCT over that intermediate. * An intermediate MAY be logged instead of the leaf, so to allow for the case where both the intermediate and leaf are logged, the client has to validate the SCT against the leaf first. -- ------------------------------+--------------------------------------- Reporter: [email protected] | Owner: [email protected] Type: defect | Status: new Priority: major | Milestone: Component: rfc6962-bis | Version: Severity: - | Resolution: Keywords: | ------------------------------+--------------------------------------- Ticket URL: <https://trac.tools.ietf.org/wg/trans/trac/ticket/23#comment:6> trans <https://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
