Add lint to check that precertificates do not contain an SCT list

zmap / zlint

X.509 Certificate Linter focused on Web PKI standards and requirements.

https://zmap.io

Apache License 2.0

347 stars 106 forks source link

Add lint to check that precertificates do not contain an SCT list #841

Closed defacto64 closed 1 month ago

defacto64 commented 1 month ago

This lint checks that the SCT (SignedCertificateTimestampList) extension is not present in precertificates, as this is not permitted by RFC 6962. This type of error has actually happened at least once as can be seen on https://bugzilla.mozilla.org.