Certificate Transparency: Require SCTs for EV certificates.

net/cert/ct_verifier.h

Index: net/cert/ct_verifier.h
diff --git a/net/cert/ct_verifier.h b/net/cert/ct_verifier.h
index 290a0474a649138733c902fdc5a8e47b6210f12d..0c13895f7f0c9bb5595bc530b7bd529857dadb5d 100644
--- a/net/cert/ct_verifier.h
+++ b/net/cert/ct_verifier.h
@@ -5,6 +5,8 @@
 #ifndef NET_CERT_CT_VERIFIER_H_
 #define NET_CERT_CT_VERIFIER_H_
 
+#include <string>
+
 #include "net/base/net_export.h"
 
 namespace net {
@@ -36,6 +38,14 @@ class NET_EXPORT CTVerifier {
                      const std::string& sct_list_from_tls_extension,
                      ct::CTVerifyResult* result,
                      const BoundNetLog& net_log) = 0;
+
+  // Returns true if the collection of SCTs for the given certificate
+  // conforms with the CT/EV policy, false otherwise.
+  // |cert| is the certificate for which the SCTs apply (this is needed
+  // to determine the certificate's lifetime).
+  // |ct_result| is the CTVerifyResult filled in by the Verify call.
+  virtual bool DoesConformToCTEVPolicy(X509Certificate* cert,
+                                       const ct::CTVerifyResult& ct_result) = 0;

[Ryan Sleevi, 2014/08/05 22:19:10]

Comments elsewhere regarding layering, but you can see that, conceptually, the
red flag is here because it requires every CT verifier implement a concrete
definition of what Chrome's policy is. This makes it very easy for two different
CTVerifiers to end up with different definitions of what conforming means, even
though there is only One True Policy.

This is (one of) the reasons to split this out.

[Eran Messeri, 2014/10/20 17:26:30]

Moved to a separate class (this interface now only provides the number of logs
it knows about).

 };
 
 }  // namespace net