| Alex Gaynor | bca951e | 2017-03-22 09:17:20 -0400 | [diff] [blame] | 1 | Certificate Transparency |
| 2 | ======================== |
| 3 | |
| 4 | .. currentmodule:: cryptography.x509.certificate_transparency |
| 5 | |
| 6 | `Certificate Transparency`_ is a set of protocols specified in :rfc:`6962` |
| 7 | which allow X.509 certificates to be sent to append-only logs and have small |
| 8 | cryptographic proofs that a certificate has been publicly logged. This allows |
| 9 | for external auditing of the certificates that a certificate authority has |
| 10 | issued. |
| 11 | |
| 12 | .. class:: SignedCertificateTimestamp |
| 13 | |
| Alex Gaynor | 6a0718f | 2017-06-04 13:36:58 -0400 | [diff] [blame] | 14 | .. versionadded:: 2.0 |
| Alex Gaynor | bca951e | 2017-03-22 09:17:20 -0400 | [diff] [blame] | 15 | |
| 16 | SignedCertificateTimestamps (SCTs) are small cryptographically signed |
| 17 | assertions that the specified certificate has been submitted to a |
| 18 | Certificate Transparency Log, and that it will be part of the public log |
| 19 | within some time period, this is called the "maximum merge delay" (MMD) and |
| 20 | each log specifies its own. |
| 21 | |
| 22 | .. attribute:: version |
| 23 | |
| 24 | :type: :class:`~cryptography.x509.certificate_transparency.Version` |
| 25 | |
| 26 | The SCT version as an enumeration. Currently only one version has been |
| 27 | specified. |
| 28 | |
| 29 | .. attribute:: log_id |
| 30 | |
| 31 | :type: bytes |
| 32 | |
| 33 | An opaque identifier, indicating which log this SCT is from. This is |
| 34 | the SHA256 hash of the log's public key. |
| 35 | |
| 36 | .. attribute:: timestamp |
| 37 | |
| 38 | :type: :class:`datetime.datetime` |
| 39 | |
| 40 | A naïve datetime representing the time in UTC at which the log asserts |
| 41 | the certificate had been submitted to it. |
| 42 | |
| 43 | .. attribute:: entry_type |
| 44 | |
| 45 | :type: |
| 46 | :class:`~cryptography.x509.certificate_transparency.LogEntryType` |
| 47 | |
| 48 | The type of submission to the log that this SCT is for. Log submissions |
| 49 | can either be certificates themselves or "pre-certificates" which |
| 50 | indicate a binding-intent to issue a certificate for the same data, |
| 51 | with SCTs embedded in it. |
| 52 | |
| 53 | |
| 54 | .. class:: Version |
| 55 | |
| Alex Gaynor | 6a0718f | 2017-06-04 13:36:58 -0400 | [diff] [blame] | 56 | .. versionadded:: 2.0 |
| Alex Gaynor | bca951e | 2017-03-22 09:17:20 -0400 | [diff] [blame] | 57 | |
| 58 | An enumeration for SignedCertificateTimestamp versions. |
| 59 | |
| 60 | .. attribute:: v1 |
| 61 | |
| 62 | For version 1 SignedCertificateTimestamps. |
| 63 | |
| 64 | .. class:: LogEntryType |
| 65 | |
| Alex Gaynor | 6a0718f | 2017-06-04 13:36:58 -0400 | [diff] [blame] | 66 | .. versionadded:: 2.0 |
| Alex Gaynor | bca951e | 2017-03-22 09:17:20 -0400 | [diff] [blame] | 67 | |
| 68 | An enumeration for SignedCertificateTimestamp log entry types. |
| 69 | |
| 70 | .. attribute:: X509_CERTIFICATE |
| 71 | |
| 72 | For SCTs corresponding to X.509 certificates. |
| 73 | |
| 74 | .. attribute:: PRE_CERTIFICATE |
| 75 | |
| 76 | For SCTs corresponding to pre-certificates. |
| 77 | |
| 78 | |
| 79 | .. _`Certificate Transparency`: https://www.certificate-transparency.org/ |