It appears that Hongkong Post CA does not submit certificate actually issued to customers to CT log, only precertificate is submitted. I'd like to ask if there is any requirement to submit final certificates to CT log server.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/b135842d-cff1-4487-b38a-f2a48daf163fn%40googlegroups.com.
I'm starting to wonder why some CAs are logging their certificates in addition to pre-certificates, if it's not mandatory and we can't count on the presence of certificates...I would even say that the whole communication of CT is about "let's put certificates in a block chain" which in fact is not what's happening.
Pre-certificates can exist with no corresponding certificates, they can appear in logs days before a certificate even exists, etc... That's a lot of uncertainty.Final certificates don't contain much information that's not already in the pre-certificate, so it's not even a privacy issue...Nothing prevents anyone from getting these final certificates (with a hint from pre-certificates) and posting them to a log, if they are served over https (agreed, it's tedious).All or nothing would be OK, but I don't understand the need for the middle ground. Logging both the cert and pre-cert is the most useful though...
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/0b546ac0-dd9d-4bc3-a825-07416d76d8a9n%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/CAK1pxypFa0H-JGrTXycVLAUahztq3g%3DEG35FHgEN_qPvpmb98w%40mail.gmail.com.