lgarron
commented
6 years ago @agwa mentioned at https://twitter.com/__agwa/status/989543691713826816 that some CTs might let you get certs without SCTs, which sounds like a good test case now.
Open lgarron opened 7 years ago
lgarron
commented
6 years ago @agwa mentioned at https://twitter.com/__agwa/status/989543691713826816 that some CTs might let you get certs without SCTs, which sounds like a good test case now.
christhompson
commented
6 years ago Good idea. What do you think of also covering ways of serving a non-embedded SCT? Maybe overall target:
embedded-sct.badssl.com with a valid embedded SCT in the cert (just reuse our existing certs)no-embedded-sct.badssl.com without an embedded SCT and don't send it via the TLS extensiontls-extension-sct.badssl.com (?) with no embedded SCT, but send it via the TLS extension
I think the TLS extension variation is maybe the common case for site operators who get certs without embedded SCTs, but I'm not sure on that.
There's also attaching the SCT to the OCSP Stapling, but I'm not sure what would be involved in getting that working (both for the testing server and for production certs).
RJPercival
commented
5 years ago This'd be nice to have. The CAs that let you get certs without SCTs are documented here: https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00080,Q00081
christhompson
commented
5 years ago We've deployed https://no-sct.badssl.com/, which should address this test case.
(I'm not sure setting up the TLS Extension in nginx is worth the effort. We could set up a new subdomain to explicitly test the embedded SCT case, but all of our other trusted production certs have them.)
We have wildcard certs with and without SCTs now.