Skip to main content

3.2. Structure of the Signed Certificate Timestamp

3.2. Structure of the Signed Certificate Timestamp

    enum { certificate_timestamp(0), tree_hash(1), (255) }
      SignatureType;

    enum { v1(0), (255) }
      Version;

      struct {
          opaque key_id[32];
      } LogID;

      opaque TBSCertificate<1..2^24-1>;

      struct {
        opaque issuer_key_hash[32];
        TBSCertificate tbs_certificate;
      } PreCert;

      opaque CtExtensions<0..2^16-1>;

"key_id" is the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo.

"issuer_key_hash" is the SHA-256 hash of the certificate issuer's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. This is needed to bind the issuer to the final certificate.

"tbs_certificate" is the DER-encoded TBSCertificate (see [RFC5280]) component of the Precertificate -- that is, without the signature and the poison extension. If the Precertificate is not signed with the CA certificate that will issue the final certificate, then the TBSCertificate also has its issuer changed to that of the CA that will issue the final certificate. Note that it is also possible to reconstruct this TBSCertificate from the final certificate by extracting the TBSCertificate from it and deleting the SCT extension. Also note that since the TBSCertificate contains an AlgorithmIdentifier that must match both the Precertificate signature algorithm and final certificate signature algorithm, they must be signed with the same algorithm and parameters. If the Precertificate is issued using a Precertificate Signing Certificate and an Authority Key Identifier extension is present in the TBSCertificate, the corresponding extension must also be present in the Precertificate Signing Certificate -- in this case, the TBSCertificate also has its Authority Key Identifier changed to match the final issuer.

    struct {
        Version sct_version;
        LogID id;
        uint64 timestamp;
        CtExtensions extensions;
        digitally-signed struct {
            Version sct_version;
            SignatureType signature_type = certificate_timestamp;
            uint64 timestamp;
            LogEntryType entry_type;
            select(entry_type) {
                case x509_entry: ASN.1Cert;
                case precert_entry: PreCert;
            } signed_entry;
           CtExtensions extensions;
        };
    } SignedCertificateTimestamp;

The encoding of the digitally-signed element is defined in [RFC5246].

"sct_version" is the version of the protocol to which the SCT conforms. This version is v1.

"timestamp" is the current NTP Time [RFC5905], measured since the epoch (January 1, 1970, 00:00), ignoring leap seconds, in milliseconds.

"entry_type" may be implicit from the context in which the SCT is presented.

"signed_entry" is the "leaf_certificate" (in the case of an X509ChainEntry) or is the PreCert (in the case of a PrecertChainEntry), as described above.

"extensions" are future extensions to this protocol version (v1). Currently, no extensions are specified.

Last updated on