Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client spec: Specify that certificate verification should fail without a signed time source, current time with explicit policy #15

Open
haydentherapper opened this issue Aug 27, 2024 · 0 comments
Open

Client spec: Specify that certificate verification should fail without a signed time source, current time with explicit policy #15

haydentherapper opened this issue Aug 27, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@haydentherapper
Copy link

Description

If neither an RFC 3161 signed timestamp nor a log timestamp (SET) is successfully verified, then certificate verification should fail. Currently, it is not explicitly documented that a client must require at least one successful verification of a signed timestamp.

We should also document that a client MAY choose to implement verification with current time in the case of BYO PKI and long-lived certificates, but this MUST be gated behind a policy and not the default behavior.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@haydentherapper