[ECA-6940] CT: Verify embedded SCTs in the final certificate before completing issuance - PrimeKey Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Duplicate
Affects Version/s: None
Fix Version/s: None
Component/s: PKI core
Labels:
- ct

Description

When using Certificate Transparency and embedding SCTs retrieved by submitting pre-certificates to CT logs (which is the normal use case for CT).

We had one corner case where the SCTs in the final certificate could not properly be verified because of altName ordering causing a different TBSCertificate encoding in the pre-certificate and the final certificate. To ensure that issued certificates are correct we should verify the SCTs in the final certificate before completing the issuance. Just as we verify the certificate signature today.

If my pull request gets accepted the git version of certificate-transparency-java will be able to verify SCTs in the final certificate. My fork can be used in the meantime, but we should probably wait until it's reviewed and merged so the API is stable.

https://github.com/google/certificate-transparency-java/pull/20

Attachments

Issue Links

relates

ECA-6977 Certificate Transparency, add verification of embedded SCTs and upgrade version of google/certificate-transparency-java

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Tomas Gustavsson

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2018-05-18 08:26

Updated:: 2019-05-13 13:12

Resolved:: 2018-06-16 13:16