Skip to content
This repository has been archived by the owner on Feb 17, 2023. It is now read-only.

Help consumers figure out validity #10

Open
g2p opened this issue Sep 30, 2021 · 0 comments
Open

Help consumers figure out validity #10

g2p opened this issue Sep 30, 2021 · 0 comments

Comments

@g2p
Copy link

g2p commented Sep 30, 2021

Now that the rustls ConfigBuilder API requires a timestamp beyond which SCT verification will fail open, it isn't obvious how to still make SCT verification usable by default, but some things might help:

  1. ensure that upgrades aren't gratuitously incompatible. I expect this works fine after the change to expose a slice.
  2. have a Github action that periodically checks that the list isn't stale (it currently is).
  3. Possibly expose the timestamp of the last upstream modification. This seems to be exposed as the Last-Modified header on the original JSON resource.

1 and 2 together allow using something like (the consumer crate's) build date + some set duration as a reasonable policy, 1 2 and 3 together allow for a deterministic alternative.

Build time + 70 days will match what Chrome does and what issuers expect: it allows issuers to start actually relying on a newly-added log being validated everywhere.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant