• Dana Keeler's avatar
    Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if... · 33c0a6a3
    Dana Keeler authored
    Bug 1665715 - (2/2) pass encoded signed certificate timestamp extension (if present) in CheckRevocation r=jcj
    
    This will allow Firefox to make decisions based on the earliest known time that
    a certificate exists (with respect to certificate transparency) that a CA is
    unlikely to back-date. In particular, this is essential for CRLite. Note that
    if the SCT signature isn't validated, a CA could still make a certificate
    appear to have existed for longer than it really has. However, this change is
    not an attempt to catch malicious CAs. The aim is to avoid false positives in
    CRLite resulting from CAs backdating the notBefore field on certificates they
    issue.
    
    Depends on D90595
    
    Differential Revision: https://phabricator.services.mozilla.com/D90596
    
    --HG--
    extra : moz-landing-system : lando
    33c0a6a3