{
  "same_root_cause": true,
  "same_sink": true,
  "sink": "getTLogTimestamp (packages/verify/src/timestamp/index.ts) -> integratedTime treated as a trusted timestamp -> verifySigningKey/verifyCertificate (packages/verify/src/key/index.ts) accepts an expired cert at attacker-chosen time",
  "parent_root_cause": "inclusionProof-only entry's unauthenticated integratedTime trusted as a timestamp (no inclusionPromise at all)",
  "variant_root_cause": "entry with a FORGED inclusionPromise's unauthenticated integratedTime trusted as a timestamp (presence-check passes, SET never validated because the entry is decoupled from tlogEntries)",
  "equivalence_rationale": "Both the original CVE and this variant exploit the same unauthenticated-integratedTime->trusted-timestamp sink in getTLogTimestamp/verifyTimestamps/verifySigningKey. The original used an inclusionProof-only entry (no inclusionPromise); the fix gated getTLogTimestamp on inclusionPromise presence. The variant defeats that gate by supplying a forged inclusionPromise whose SET is never validated (decoupled SignedEntity), so the same unauthenticated integratedTime is trusted and the same expired-cert-accepted impact results -- on the fixed version.",
  "bypass_on_fixed": true
}