Re: Is it required to submit certificate (NOT precertficate) to CT log server?

[Steel, John]

As far as I can tell only the pre cert is required for issuing the cert ( since the actual cert needs to say what log contains the pre cert).

I suppose each client of a website could have different requirements about the actual cert, but I haven't been able to find out one way or the other. 

So in theory a browser could decide to refuse to connect to a site that doesn't have it's full certificate in a log, but I don't think there is any security benefits for doing this. 

On Mon., Mar. 15, 2021, 7:38 a.m. leeyc0, <lee...@gmail.com> wrote:

It appears that Hongkong Post CA does not submit certificate actually issued to customers to CT log, only precertificate is submitted. I'd like to ask if there is any requirement to submit final certificates to CT log server.

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/b135842d-cff1-4487-b38a-f2a48daf163fn%40googlegroups.com.

[Steel, John]

For CAs that so not create pre certificates it's very useful to be able to find a record of them. Gives you an opportunity to catch fraudulent certificates in the wild. 

On Wed., Mar. 31, 2021, 10:56 a.m. Chris Hartwig, <chrisde...@gmail.com> wrote:

I'm starting to wonder why some CAs are logging their certificates in addition to pre-certificates, if it's not mandatory and we can't count on the presence of certificates... 

I would even say that the whole communication of CT is about "let's put certificates in a block chain" which in fact is not what's happening.
Pre-certificates can exist with no corresponding certificates, they can appear in logs days before a certificate even exists, etc... That's a lot of uncertainty.

Final certificates don't contain much information that's not already in the pre-certificate, so it's not even a privacy issue...

Nothing prevents anyone from getting these final certificates (with a hint from pre-certificates) and posting them to a log, if they are served over https (agreed, it's tedious).

All or nothing would be OK, but I don't understand the need for the middle ground. Logging both the cert and pre-cert is the most useful though...

To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/0b546ac0-dd9d-4bc3-a825-07416d76d8a9n%40googlegroups.com.

[Safaa Gemo]

To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/CAK1pxypFa0H-JGrTXycVLAUahztq3g%3DEG35FHgEN_qPvpmb98w%40mail.gmail.com.