5.2. TLS Client
5.2. TLS Client
TLS clients are not directly clients of the log, but they receive SCTs alongside or in server certificates. In addition to normal validation of the certificate and its chain, they should validate the SCT by computing the signature input from the SCT data as well as the certificate and verifying the signature, using the corresponding log's public key. Note that this document does not describe how clients obtain the logs' public keys.
TLS clients MUST reject SCTs whose timestamp is in the future.