Audit SCT lists in OCSP responses against the various CT Policies

[robstradling]

RFC6962 permits SCTs to be distributed via OCSP response extensions. It would make sense for ctlint to audit OCSP responses against the various CT policies, at least in theory. In practice, since this method of distributing SCTs is believed to be used relatively rarely, it might not be worth bothering.

[jdeblasio]

Just as a data point, from recent Chrome TLS handshakes...

• 99.8% used SCTs embedded in a final cert
• 0.2% used SCTs provided in the TLS handshake
• ~0.000005% used SCTs provided via stapled OCSP responses

(Full disclosure: while it's been a few years since I said anything publicly, my opinion on OCSP-delivered SCTs has not changed, and the only thing that has kept us from announcing its removal from our policy is that we've been distracted by other policy changes. Insofar as Chrome's policy impacts your prioritization, I wouldn't assume that we'll remain so distracted for much longer.)

[robstradling]

Thanks @jdeblasio. That's really useful.

It was my idea for RFC6962 to support distributing SCTs via Stapled OCSP responses. At that time we were still hopeful that OCSP Stapling would gain widespread deployment. That hasn't happened, and it seems highly unlikely that it will ever happen now (given the rise of browser-maintained mechanisms for distributing revocation information and the fact that the TLS BRs have made OCSP optional). So I fully support the idea of deprecating this RFC6962 feature in Chrome's CT policy.

Sectigo's implementation currently has support for embedding SCTs in OCSP responses, and we used to use this by default when including the "Must Staple" extension in the corresponding certificate. However, we stopped doing this a while ago when it became clear that client-side support for SCTs-via-OCSP was a joint that had not been kept well-oiled across the CT ecosystem (examples: 1 2).

I'll leave this issue open for now; but if/when the Chrome CT Policy is updated along the lines you're hinting, this issue will be "Close as not planned".