Add lint to check that precertificates do not contain an SCT list

zmap / zlint

X.509 Certificate Linter focused on Web PKI standards and requirements.

https://zmap.io

Apache License 2.0

363 stars 109 forks source link

Add lint to check that precertificates do not contain an SCT list #841

Closed defacto64 closed 6 months ago

defacto64 commented 6 months ago

This lint checks that the SCT (SignedCertificateTimestampList) extension is not present in precertificates, as this is not permitted by RFC 6962. This type of error has actually happened at least once as can be seen on https://bugzilla.mozilla.org.