Making SCTs certificate embedding optional


#1

Hi,
I know this is a long awaited feature, and it’s great (SCTs embedding in certs)!
However, in some cases I would still like to control SCTs using TLS extension and not have it embedded in the certificate.
Is it or will it be possible to control this via a flag (to renew?) or a conf?
Is there a workaround today to be able to control this certificate embedding?

Thanks!


#2

What is the benefit of the TLS extension and does it require the cert to lack the SCT explicitely? Can’t you do both?


#3

Thanks for the feature request! It’s true that you could save handshake bytes for non-Chrome users by getting a certificate with no embedded SCTs, then serving SCTs via TLS extension to only those clients that indicate support. However, because we expect this to be a very rare use case, and because the size benefits are fairly minimal, we don’t want to add the complexity this would require to Boulder.


#4

Currently the two use-cases I had in mind are:

  1. for testing
  2. having control of the logs to check

#5

Thanks @jsha I understand.
I thought perhaps the features.EmbedSCTs flag can be easily controlled with a request/arg.
Appreciate the time and thoughtful response.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.