[openssl-dev] [openssl.org #4041] [PATCH] Add Certificate Transparency Support
Adam Eijdenberg
eijdenberg at google.com
Mon Sep 14 21:19:32 UTC 2015
On Mon, Sep 14, 2015 at 1:26 PM Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:
> On Mon, Sep 14, 2015 at 08:05:06PM +0000, Salz, Rich wrote:
>
> > > One question on the overall integration. What adjustments if any might
> > > need to be made to existing servers that are not "CT-aware"?
> >
> > For now, absolutely nothing. At some point there might be the equivalent
> > of an "OCSP Stapling" for CT data. It's all about the client being able
> > to see if the cert is got is valid.
>
> What is then the purpose of the new "-serverinfo" option of s_server?
> If CT works without it, why add it?
>
There are 3 ways by which a server can deliver Signed Certificate
Timestamps (SCTs) to clients:
1. SCTs embedded in the certificate itself.
2. SCTs embedded in an OCSP-stapled response.
3. SCTs sent in a TLS extension.
(1) requires work only by the CA issuing the cert.
(2) requires work by the CA in their OCSP responder, and work by the site
operator to enable OCSP stapling in their server.
(3) requires work by the site operator only to configure their server to
send SCTs.
The "-serverinfo" option to s_server is one way to achieve (3), and in fact
the tests (in a later commit) for s_client use this flag to verify
behavior. I believe "-serverinfo" is purposely generic so it can also be
used for adding other TLS extension data that does not require dynamic
processing.
Rich is correct that a server does not need to do anything, that is, until
clients begin to require CT support (as we expect them to do over time as
CT proves its value). Chrome, for example, already actually requires SCTs
be supplied during the handshake for EV certificates that have been issued
after January 1 this year (
https://www.chromium.org/Home/chromium-security/root-ca-policy#TOC-Extended-Validation-Certificates
).
>
> --
> Viktor.
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150914/e4dc70b4/attachment.html>
More information about the openssl-dev
mailing list