Page MenuHomePhabricator
Create Task
Maniphest T206876

certcentral: check for SCTs, with optional disable per-account
Open, MediumPublic
Actions

Description

As a sanity check, by default certcentral should check newly-issued certificates to see that they contain embedded SCTs. CTs (and SCTs for the most part) are required in practice for public certs to work in the modern world, but apparently registrars can still technically get away with not doing so, and sometimes do that by accident and cause some carnage (cf all the drama in T205504#4660385 and beyond). I'm not sure if we should just check for "SCTs exist at all" as a quick sanity-test, or if we need to really validate that the SCTs are cryptographically legit.

However, there should also be a flag to disable SCT-checking, in case we later want to hook up a private internal ACME CA as a provider which doesn't use CT/SCT. Maybe just at the per-account level for such a flag?

Event Timeline

BBlack triaged this task as Medium priority.Oct 12 2018, 8:13 PM
BBlack created this task.
Restricted Application added a project: SRE. · View Herald TranscriptOct 12 2018, 8:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ema moved this task from Backlog to TLS on the Traffic board.Oct 22 2018, 8:43 AM
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 10:30 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL