letsencrypt
cert-checker: verify that SCTs match certificate
See https://bugzilla.mozilla.org/show_bug.cgi?id=1815874, in which another CA issued certificates containing SCTs which were generated from the submission of a different precert to CT logs.
I don't believe we are anywhere close to being able to be impacted by a similar bug. Our issuance process (creation of a precert, submission of that precert to CT logs, creation of a final cert, etc) is fully serial and constrained to a single goroutine which manages issuance for only that single certificate.
That said, it would be a nice belt-and-suspenders check to have cert-checker double-check that the SCTs contained within a final cert. Unfortunately, this is rather complex. For one thing, it can only happen at least 24 hours (the usual Maximum Merge Delay) after the cert was issued. Also, it requires a bunch of stuff (map of log IDs to log URLs, map of log IDs to log public keys, public internet access to query logs, and a bunch of code to construct the appropriate tbsCertificate and MerkleTreeLeaf structures) that we don't have sitting around already.
Doing this work may not be worth it, as we already have good separation of duties and it is difficult for me to imagine how SCTs from one issuance goroutine could cross over into another. Discuss?
