[no-]embedded-sct

[lgarron]

We have wildcard certs with and without SCTs now.

[lgarron]

@agwa mentioned at https://twitter.com/__agwa/status/989543691713826816 that some CTs might let you get certs without SCTs, which sounds like a good test case now.

[christhompson]

Good idea. What do you think of also covering ways of serving a non-embedded SCT? Maybe overall target:

• embedded-sct.badssl.com with a valid embedded SCT in the cert (just reuse our existing certs)
• no-embedded-sct.badssl.com without an embedded SCT and don't send it via the TLS extension
• tls-extension-sct.badssl.com (?) with no embedded SCT, but send it via the TLS extension
  • But it looks like this isn't supported by default in nginx though, so we might need to add a third-party module

I think the TLS extension variation is maybe the common case for site operators who get certs without embedded SCTs, but I'm not sure on that.

There's also attaching the SCT to the OCSP Stapling, but I'm not sure what would be involved in getting that working (both for the testing server and for production certs).

[RJPercival]

This'd be nice to have. The CAs that let you get certs without SCTs are documented here: https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a051J00003rMGLL&QuestionId=Q00080,Q00081

[christhompson]

We've deployed https://no-sct.badssl.com/, which should address this test case.

(I'm not sure setting up the TLS Extension in nginx is worth the effort. We could set up a new subdomain to explicitly test the embedded SCT case, but all of our other trusted production certs have them.)