PreCertificate in CT log but related Certificate not found.

152 views
Skip to first unread message

John Han

unread,
Aug 30, 2022, 3:59:04 AM8/30/22
to dev-secur...@mozilla.org
Hi All,
Recently I have found this PreCertificate https://crt.sh/?id=7319399876 but its related Certificate not found in CT log.
Is this compliance with current policy?

HAN Yuwei

Ryan Hurst

unread,
Aug 30, 2022, 10:48:48 AM8/30/22
to John Han, dev-secur...@mozilla.org
Yes, very few CAs currently publish final certificates, the final certificates in the logs are usually discovered by crawlers.

Technically it is even permissible to not log pre-certificates as well. Not doing so means visitors to a site that uses that certificate will receive an interstitial that must be bypassed by the user though.

Ryan Hurst



--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0904ff95-841a-49d5-923b-9cfac12d3b53n%40mozilla.org.

Martijn Katerbarg

unread,
Aug 30, 2022, 12:23:31 PM8/30/22
to dev-secur...@mozilla.org, hanyu...@gmail.com
Hi Han,

This is normal behavior. Some CAs submit both the precertificates and certificates to CT logs, while others only (or mainly) submit precertificates.

For example the issuing CA of the certificate you mentioned, has about more than 3 times as many precertificates logged, as it has certificates.

Regards,

Martijn

Op dinsdag 30 augustus 2022 om 09:59:04 UTC+2 schreef hanyu...@gmail.com:

John Han

unread,
Aug 30, 2022, 12:38:06 PM8/30/22
to dev-secur...@mozilla.org, ryan....@gmail.com, dev-secur...@mozilla.org, John Han
So as they submitted final certficate to  logs, it doesn't matter that certificate should be visible to tools like crt.sh?

Ryan Hurst

unread,
Aug 30, 2022, 12:54:41 PM8/30/22
to John Han, dev-secur...@mozilla.org
If the final certificate is submitted to logs it would be in monitors, but most CAs do not, and for those issuers, the only certificates in the logs are those that are discovered by crawlers or individuals that submit them to the logs. In other words, you can not rely on final certificates being present in logs.

Ryan

John Han

unread,
Aug 30, 2022, 1:39:42 PM8/30/22
to dev-secur...@mozilla.org, ryan....@gmail.com, dev-secur...@mozilla.org, John Han
My mistake, I thought it's in BR but it doesn't, only Chrome/Safari requires it.

Ryan Hurst

unread,
Aug 30, 2022, 1:44:15 PM8/30/22
to John Han, dev-secur...@mozilla.org
Neither Chrome nor Safari requires the publication of final certificates.

They do display interstitials in SCTs are not present in certificates though.

Reply all
Reply to author
Forward
0 new messages