Closed jschanck closed 1 year ago
jcjones
commented
1 year ago The original concern with non-end-entity certs was that since they don't include SCTs, it wasn't clear, programmatically, how to tell if a given certificate should be expected to be within the dataset. Is that going to somehow derivable?
jschanck
commented
1 year ago Not programmatically, no, and Firefox and rust-query-crlite will only query CRLite if there is an SCT that proves inclusion in the filter. However, I want the filter metadata to completely describe the set of included certs, and I want to remove as many corner cases as possible. I can also imagine users wanting to query a filter on a certificate that does not have an SCT. E.g. they might discover a precert in CT and then manually check inclusion.
Firefox doesn't query CRLite on CA certs, but other applications might. We don't communicate the fact that we're not including CA certs in our filter metadata, which means other applications could get false positives if they query CA certs.
In the interest of making our filters broadly usable, let's include CA certs. The overall impact on filter size will be small.