@sleevi_ Does Chrome outright reject redacted certificates at the moment? Is there a place/page where this is documented/explained?
-
-
I never mentioned CT in my question! I merely wanted to know if Chrome actively tried to detect “redacted” certificates. For example, looking the 1.3.101.77 extension. I never got a reply to that, but both of you went on to explain to me how CT works :)
-
That’s just an OID off the Thawte arc though, and doesn’t appear in the final cert - so what would be rejected? Certs that aren’t CT qualified? We already did that for SYMC certs. Not because of redaction tho, except incidentally
-
There’s 1.3.101.77 in the cert on https://invalid-expected-sct.badssl.com My questions may have obvious answers to you, but that’s because you’re on the inside. From the outside, lots of stuff appears as random. I don’t even try to understand “why”, understanding behaviour is difficult enough :)
-
Ah right, forgot about the redacted commitment thing. In any event, understanding the why is the key to understanding or predicting the behavior :) Understanding the SCTs don’t match and Symantec/new certs need to be CT qualified makes it clear the rejection ;)
End of conversation
New conversation -
-
-
Kind of like how clients need explicit support for wildcard identifiers. If a client doesn't know about wildcards, a cert for *.example.com isn't going to work except for literally *.example.com.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.