New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement Certificate Transparency policy #819
Conversation
958fb45
to
c434861
Compare
Codecov Report
@@ Coverage Diff @@
## main #819 +/- ##
==========================================
- Coverage 96.52% 96.38% -0.15%
==========================================
Files 59 59
Lines 9307 9330 +23
==========================================
+ Hits 8984 8993 +9
- Misses 323 337 +14
Continue to review full report at Codecov.
|
8efc9a4
to
c88122c
Compare
e145ad6
to
5a64a2f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, this is a good improvement.
With the benefit of hindsight, it was probably premature to implement anything CT related in rustls, because there seems to have been little deployment of the CT features in TLS elsewhere; instead everything is using them embedded in certificates.
If so, should we make CT off by default (no need to call |
I think it would be an improvement if it were to default to off. We could revisit that once we have a complete CT implementation. |
An attempt to make configuration of the certificate transparency policy more robust. This doesn't have testing yet; my first question here is if this should live in rustls itself or if it should be part of the sct crate.
(Feel free to take this and run with it/build on it/change it in whatever way seems best.)
Fixes #803.