Making SCTs certificate embedding optional

I know this is a long awaited feature, and it’s great (SCTs embedding in certs)!
However, in some cases I would still like to control SCTs using TLS extension and not have it embedded in the certificate.
Is it or will it be possible to control this via a flag (to renew?) or a conf?
Is there a workaround today to be able to control this certificate embedding?


What is the benefit of the TLS extension and does it require the cert to lack the SCT explicitely? Can’t you do both?

Thanks for the feature request! It’s true that you could save handshake bytes for non-Chrome users by getting a certificate with no embedded SCTs, then serving SCTs via TLS extension to only those clients that indicate support. However, because we expect this to be a very rare use case, and because the size benefits are fairly minimal, we don’t want to add the complexity this would require to Boulder.

1 Like

Currently the two use-cases I had in mind are:

  1. for testing
  2. having control of the logs to check

Thanks @jsha I understand.
I thought perhaps the features.EmbedSCTs flag can be easily controlled with a request/arg.
Appreciate the time and thoughtful response.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.