Examples of SCT delivered via a TLS extension or OCSP response?

[Ivan Ristic]

I am adding detection of SCT to SSL Labs. I see that at least some new EV certificates contain embedded SCTs, but are there any known deployments using TLS extensions and OCSP responses as delivery vehicles? Thanks.

[Rob Stradling]

Hi Ivan.

ritter.vg:443 currently sends SCTs in both the
signed_certificate_timestamp TLS extension and in stapled OCSP responses.
See also https://ritter.vg/blog-require_certificate_transparency.html

sslanalyzer.comodoca.com:443 currently sends SCTs in stapled OCSP responses.

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

[Tom Ritter]

Thanks Rob!

LMK if you have any problems. A site running on the same server
(crypto.is) also supplies via TLS and OCSP, and if needed I should be
able to go in and disable OCSP stapling entirely (for a few days) on
one of them to give another test case.

-tom

> --
> You received this message because you are subscribed to the Google Groups
> "Certificate Transparency Policy" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ct-policy+...@chromium.org.
> To post to this group, send email to ct-p...@chromium.org.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/ct-policy/550C09FD.9080402%40gmail.com.

[Ivan Ristic]

Thank you, Rob and Tom. That was very helpful.

I've now added detection of SCTs (all three locations) to the development version of SSL Labs:

    https://dev.ssllabs.com/ssltest/analyze.html?d=ritter.vg
    https://dev.ssllabs.com/ssltest/analyze.html?d=sslanalyzer.comodoca.com
    https://dev.ssllabs.com/ssltest/analyze.html?d=digicert.com

There's currently no validation; I will add it at some point in the future.

--

Ivan

[Rob Stradling]

Nice!  Thanks Ivan.