On 18/08/17 21:15, Tom Ritter wrote:
Ran into a question I didn't know the answer to, hopefully easy.
If a client submits a chain of valid certificates to a log (via
add-chain), but the leaf certificate was already added to the log as a
precert - is the log allowed to return the SCT associated with the
precert rather than the certificate?
Hi Tom. The specification of the submit-entry endpoint [1] says:
'Outputs:
sct: A base64 encoded "TransItem" of type "x509_sct_v2" or
"precert_sct_v2", signed by this log, that corresponds to the
"submission".'
Arguably a precert SCT does "correspond to" a certificate. However,
earlier in the document [2] it says:
'...Note that if a certificate was previously logged as a
precertificate, then the precertificate's SCT of type
"precert_sct_v2" would not be appropriate; instead, a fresh
SCT of type "x509_sct_v2" should be generated.'
[1] https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-26#section-5.1
[2] https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-26#section-4
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
