You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 17, 2023. It is now read-only.
Now that the rustls ConfigBuilder API requires a timestamp beyond which SCT verification will fail open, it isn't obvious how to still make SCT verification usable by default, but some things might help:
ensure that upgrades aren't gratuitously incompatible. I expect this works fine after the change to expose a slice.
have a Github action that periodically checks that the list isn't stale (it currently is).
Possibly expose the timestamp of the last upstream modification. This seems to be exposed as the Last-Modified header on the original JSON resource.
1 and 2 together allow using something like (the consumer crate's) build date + some set duration as a reasonable policy, 1 2 and 3 together allow for a deterministic alternative.
Build time + 70 days will match what Chrome does and what issuers expect: it allows issuers to start actually relying on a newly-added log being validated everywhere.
The text was updated successfully, but these errors were encountered:
Now that the rustls ConfigBuilder API requires a timestamp beyond which SCT verification will fail open, it isn't obvious how to still make SCT verification usable by default, but some things might help:
1 and 2 together allow using something like (the consumer crate's) build date + some set duration as a reasonable policy, 1 2 and 3 together allow for a deterministic alternative.
Build time + 70 days will match what Chrome does and what issuers expect: it allows issuers to start actually relying on a newly-added log being validated everywhere.
The text was updated successfully, but these errors were encountered: