New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: support SCT/OCSP passthrough when using platform verifiers #58251
Comments
I would hedge on not using them with the Go verifier as we might start doing that later. So maybe "is currently ignored". Let's use the names and types from
|
Agreed, updated to match. |
LGTM, although note that Chrome is asking the community for feedback around deprecating SCT delivery via TLS extensions. https://groups.google.com/a/chromium.org/g/ct-policy/c/WX6iZt7uJBs |
This proposal has been added to the active column of the proposals project |
Have all concerns about this proposal been addressed? |
I believe so, there is some movement in Chrome-land to possibly deprecate the SCT transmission methods, but there was enough pushback that it seems unlikely to go anywhere anytime soon. I think myself and Filippo are in agreement that it makes sense to add the functionality for now. |
Based on the discussion above, this proposal seems like a likely accept. |
No change in consensus, so accepted. 🎉 |
During TLS handshakes, in particular, additional inputs to verification can be sent alongside the certificate chain, typically a set of SCTs and/or a stapled OCSP response, that can be used to resolve additional trust constraints on the chain. The native Go verifier currently has no support for these additional inputs, but when platform verifiers are used (on Windows and macOS) these inputs could be utilized.
#51991 is an example of when ignoring these additional inputs (in particular SCTs) causes verification failures when using a platform verifier, because the platform applies additional restrictions on verification which require the inputs to resolve.
I propose that we add fields to
x509.VerifyOptions
that allow passing through these inputs toCertificate.Verify
. These will be explicitly documented to only be considered when using platform verifiers, but at some point in the future we may want to add additional functionality to the native verifier to consider them (in particular OCSP responses). Once these fields are added the TLS implementation can be configured to pass through any additional inputs passed during the handshake.cc @FiloSottile
The text was updated successfully, but these errors were encountered: