@sleevi_ Does Chrome outright reject redacted certificates at the moment? Is there a place/page where this is documented/explained?
-
Show this thread
-
Or is it that redacted certs simply won’t be CT compliant and that there’s no need to look for redaction specifically?
1 reply 0 retweets 1 likeShow this thread -
Replying to @ivanristic
More than that - Redaction is active misissuance, and will be treated like any other active and knowing BR violation. They won’t be accepted by clients, BUT ALSO the CA has now misissued
1 reply 0 retweets 2 likes -
Replying to @sleevi_
Thanks for the clarification. Let me rephrase the question: is there any code in Chrome that rejects redacted certificates specifically (in absence of any other problems)?
2 replies 0 retweets 1 like -
Replying to @ivanristic @sleevi_
There is no redaction in CT. Symantec just made stuff up by mis-issuing a pre-cert for ?.example.com and embedding its SCT in a cert for http://sub.example.com . That doesn't work, just as an SCT for http://yahoo.com obviously doesn't work for http://google.com .
1 reply 0 retweets 3 likes -
And yet here’s one redacted precertificate in a CT log :) https://crt.sh/?q=997aeb30aeb419a0892de5b6831de56291ca110411bf13fd3dae713a2b54e78c …
2 replies 0 retweets 2 likes
According to RFC6962 (the only published spec for CT), that is a pre-certificate for a (misissued) certificate for ?.badssl.com.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.