Apt repository and SCT support


#1

Has anyone packaged Let’s Encrypt for Debian or Ubuntu and if so have they provided the packages with an apt repository?

Will Let’s Encrypt host apt repositories? If you do, would you please host them with https and a Tor hidden service?

Jacob Hoffman-Andrews of EFF and Let’s Encrypt asked about “Go support for SCTs in OCSP?” on the Google Group certificate-transparency, but no one replied. Will we see embedded SCT’s in the Let’s Encrypt certificates and if so when might we see it?

If some of you are wondering what is SCT, it’s signed certificate timestamp (SCT). You can find out more at http://www.certificate-transparency.org/how-ct-works and it makes it a heck of a lot easier to get CT (Certificate Transparency) working.


#2

We currently have a patch ready to merge that will allow us to submit every issued certificate to a set of CT logs and store the corresponding SCTs.

Due to our current issuance process the only plausible way to we could serve SCTs would be via OCSP responses but unfortunately a lack of Golang support for X509v3 extensions in the OCSP library is blocking any further progress on this front.


#3

Thank you roland. I should have read the “Will you support Certificate Transparency?” thread before posting my question. Will you support Certificate Transparency?

I built some nginx packages to support CT based on the patches and directions posted at http://www.certificate-transparency.org/resources-for-site-owners/nginx, but it is an error prone process with all that is involved. My first couple attempts at building Apache packages for CT have not been successful.


#4

Yep, the current patching process to natively serve SCTs from Apache/nginx is quite a pain, although it looks like patch sets are getting closer to merging into respective master branches which will make it somewhat simpler. Unfortunately it doesn’t look like we’ll launch with SCTs in OCSP responses but is something I’ll be pushing for as soon after launch as is possible!