-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SCT verification should compare timestamp against CT log validity window #178
Comments
Thank you for documenting these!
I think this should be covered if I understand correctly. If you follow the code paths from I'll continue to look at some of these other potential bugs and comment individually if I find anything. |
Again, the Edit: I would be in favor of changing this comparison to use |
Good find. Talking out loud to convince myself there's no issue:
So yea, TSA seems all good.
Good call, agreed. |
@codysoyland, I believe "CT log compares against issued SCTs" is still missing, so I've updated the title accordingly. |
Description
As a reminder, the purpose of validity windows is to mitigate two risks:
I've been looking over the code and wanted to confirm if we are verifying validity windows for root metadata. Here's what I've found so far:
In terms of how to structure the code, as is currently implemented, each service (CA, CT log, Rekor, TSA) should be responsible for comparing any of its artifacts that contain timestamps against the validity windows. TODOs below:
The metadata I don't know how to verify is if a log proof was created during a log's validity window, since there is no timestamp. Using a certificate's timestamp is not accurate because a certificate may be logged long after a signing event. In the case of BYO PKI, there may also be no timestamps, if you log a signing event with a key. I think there's nothing to compare against in these cases.
The text was updated successfully, but these errors were encountered: