Hi, I'm looking for information about in how far ATS supports Certificate Transparency and the Expect-CT header.
My understanding is that a web server can provide the Signed Certificate Timestamps (SCTs) -- if they are not embedded in the certificate via an x509 extension by the CA -- either via a TLS extension or via OCSP stapling. I know that ATS can enable OCSP stapling, but I don't know whether that requires additional settings to include the SCTs, nor do I know the status of using the TLS extension in ATS. Does anybody here know if this is available in ATS? Related to this: is there work to add a simple configuration setting to set the 'Expect-CT' header? I'd think it'd make sense to have that be configurable similar to the way HSTS is enabled in ATS. Thanks in advance for any pointers on this, -Jan
