type | detail |
---|---|
malformed | The request could not be parsed. |
type | detail |
---|---|
badSubmission | submission is neither a valid certificate nor a valid precertificate. |
badType | type is neither 1 nor 2. |
badChain | The first element of chain is not the certifier of the submission, or the second element does not certify the first, etc. |
badCertificate | One or more certificates in chain are not valid (e.g., not properly encoded). |
unknownAnchor | The last element of chain (or, if chain is an empty array, the submission) is not, nor is it certified by, an accepted trust anchor. |
shutdown | The log is no longer accepting submissions. |
type | detail |
---|---|
firstUnknown | first is before the latest known STH but is not from an existing STH. |
secondUnknown | second is before the latest known STH but is not from an existing STH. |
secondBeforeFirst | second is smaller than first. |
type | detail |
---|---|
hashUnknown | hash is not the hash of a known leaf (may be caused by skew or by a known certificate not yet merged). |
treeSizeUnknown | hash is before the latest known STH but is not from an existing STH. |
Case | Response |
---|---|
latest STH < requested tree head | Return latest STH. |
latest STH > requested tree head | Return latest STH and a consistency proof between it and the requested tree head (see |
index of requested hash < latest STH | Return inclusion. |
type | detail |
---|---|
startUnknown | start is greater than the number of entries in the Merkle Tree. |
endBeforeStart | start cannot be greater than end. |
Value | Extension Name | TLS 1.3 | DTLS-Only | Recommended | Reference |
---|---|---|---|---|---|
52 | transparency_info | CH, CR, CT | N | Y | RFC 9162 |
Range | Registration Procedures |
---|---|
0x00-0xDF | Specification Required |
0xE0-0xEF | Experimental Use |
0xF0-0xFF | Private Use |
Value | Hash Algorithm | OID | Reference |
---|---|---|---|
0x00 | SHA-256 | 2.16.840.1.101.3.4.2.1 |
|
0x01 - 0xDF | Unassigned | RFC 9162 | |
0xE0 - 0xEF | Reserved for Experimental Use | RFC 9162 | |
0xF0 - 0xFF | Reserved for Private Use | RFC 9162 |
- Note:
- This is a subset of the "TLS SignatureScheme" registry, limited to those algorithms that are appropriate for CT. A major advantage of this is leveraging the expertise of the TLS Working Group and its designated expert(s).
- Note:
- The value 0x0403 appears twice. While this may be confusing, it is okay because the verification process is the same for both algorithms, and the choice of which to use when generating a signature is purely internal to the log server.
Range | Registration Procedures |
---|---|
0x0000-0x0807 | Specification Required |
0x0808-0xFDFF | Expert Review |
0xFE00-0xFEFF | Experimental Use |
0xFF00-0xFFFF | Private Use |
SignatureScheme Value | Signature Algorithm | Reference |
---|---|---|
0x0000 - 0x0402 | Unassigned | |
ecdsa_secp256r1_sha256 (0x0403) | ECDSA (NIST P-256) with SHA-256 |
|
ecdsa_secp256r1_sha256 (0x0403) | Deterministic ECDSA (NIST P-256) with HMAC-SHA256 |
|
0x0404 - 0x0806 | Unassigned | |
ed25519 (0x0807) | Ed25519 (PureEdDSA with the edwards25519 curve) |
|
0x0808 - 0xFDFF | Unassigned | |
0xFE00 - 0xFEFF | Reserved for Experimental Use | RFC 9162 |
0xFF00 - 0xFFFF | Reserved for Private Use | RFC 9162 |
- Note:
- The range 0x0000..0x00FF is reserved so that v1 SCTs are distinguishable from v2 SCTs and other TransItem structures.
Range | Registration Procedures |
---|---|
0x0100-0xDFFF | Specification Required |
0xE000-0xEFFF | Experimental Use |
0xF000-0xFFFF | Private Use |
Value | Type and Version | Reference |
---|---|---|
0x0000 - 0x00FF | Reserved |
|
0x0100 | x509_entry_v2 | RFC 9162 |
0x0101 | precert_entry_v2 | RFC 9162 |
0x0102 | x509_sct_v2 | RFC 9162 |
0x0103 | precert_sct_v2 | RFC 9162 |
0x0104 | signed_tree_head_v2 | RFC 9162 |
0x0105 | consistency_proof_v2 | RFC 9162 |
0x0106 | inclusion_proof_v2 | RFC 9162 |
0x0107 - 0xDFFF | Unassigned | |
0xE000 - 0xEFFF | Reserved for Experimental Use | RFC 9162 |
0xF000 - 0xFFFF | Reserved for Private Use | RFC 9162 |
Range | Registration Procedures |
---|---|
0x0000-0xDFFF | Specification Required |
0xE000-0xEFFF | Experimental Use |
0xF000-0xFFFF | Private Use |
ExtensionType | Status | Use | Reference |
---|---|---|---|
0x0000 - 0xDFFF | Unassigned | n/a | |
0xE000 - 0xEFFF | Reserved for Experimental Use | n/a | RFC 9162 |
0xF000 - 0xFFFF | Reserved for Private Use | n/a | RFC 9162 |
Log ID | Log Base URL | Log Operator | Reference |
---|---|---|---|
1.3.101.8192 - 1.3.101.16383 | Unassigned | Unassigned | |
1.3.101.80.0 - 1.3.101.80.* | Unassigned | Unassigned |
- Note:
- All OIDs in the range from 1.3.101.8192 to 1.3.101.16383 have been set aside for Log IDs. This is a limited resource of 8,192 OIDs, each of which has an encoded length of 4 octets.
- Note:
- The 1.3.101.80 arc has also been set aside for Log IDs. This is an unlimited resource, but only the 128 OIDs from 1.3.101.80.0 to 1.3.101.80.127 have an encoded length of only 4 octets.
Field Name | Type | Reference |
---|---|---|
Identifier | string | RFC 9162 |
Meaning | string | RFC 9162 |
Reference | string | RFC 9162 |
Identifier | Meaning | Reference |
---|---|---|
malformed | The request could not be parsed. | RFC 9162 |
badSubmission | submission is neither a valid certificate nor a valid precertificate. | RFC 9162 |
badType | type is neither 1 nor 2. | RFC 9162 |
badChain | The first element of chain is not the certifier of the submission, or the second element does not certify the first, etc. | RFC 9162 |
badCertificate | One or more certificates in chain are not valid (e.g., not properly encoded). | RFC 9162 |
unknownAnchor | The last element of chain (or, if chain is an empty array, the submission) is not, nor is it certified by, an accepted trust anchor. | RFC 9162 |
shutdown | The log is no longer accepting submissions. | RFC 9162 |
firstUnknown | first is before the latest known STH but is not from an existing STH. | RFC 9162 |
secondUnknown | second is before the latest known STH but is not from an existing STH. | RFC 9162 |
secondBeforeFirst | second is smaller than first. | RFC 9162 |
hashUnknown | hash is not the hash of a known leaf (may be caused by skew or by a known certificate not yet merged). | RFC 9162 |
treeSizeUnknown | hash is before the latest known STH but is not from an existing STH. | RFC 9162 |
startUnknown | start is greater than the number of entries in the Merkle Tree. | RFC 9162 |
endBeforeStart | start cannot be greater than end. | RFC 9162 |
Decimal | Description | References |
---|---|---|
102 | id-mod-public-notary-v2 | RFC 9162 |