You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -1297,7 +1297,7 @@ but it is expected there will be a variety.
TODO: What should the TLS client communicate in the extension_data? Version(s) of CT that it supports? Certain types of TransItem that it can handle? Whether or not it wants to gossip?
</t>
<t>
In addition to normal validation of the certificate and its chain, TLS clients SHOULD validate each supplied SCT by computing the signature input from the SCT data as well as the certificate and verifying the signature, using the corresponding log's public key. TLS clients MUST reject SCTs whose timestamp is in the future.
In addition to normal validation of the certificate and its chain, TLS clients SHOULD validate each supplied SCT by computing the signature input from the SCT data as well as the certificate and verifying the signature, using the corresponding log's public key. TLS clients MUST NOT consider SCTs whose timestamp is in the future as valid.
</t>
<t>
TLS clients SHOULD also validate each supplied inclusion proof (see <xreftarget="verify_inclusion"/>), in order to audit the log. If no inclusion proof was supplied by the TLS server, the TLS client MAY request one directly from the corresponding log using <spanxstyle="verb">get-proof-by-hash</spanx> (<xreftarget="get-proof-by-hash"/>) or <spanxstyle="verb">get-all-by-hash</spanx> (<xreftarget="get-all-by-hash"/>), and then validate it.
