On 15/4/2024 5:13 μ.μ., Andrew Ayer wrote:
In particular, every precertificate implies the existence of a corresponding final certificate whether the CA says they issued it or not. Treating final certificates and precertificates as equivalent during incident reporting reinforces this rather important facet of CT. Treating them differently may give the impression that "precertificate misissuance" is less bad than "certificate misissuance", a corrosive idea that CAs have repeatedly tried to exploit.
I agree that disclosing a precertificate should be considered sufficient for public incident reports, and there should be no obligation to log the "final" certificate. Every "final" certificate must include SCTs of a logged precertificate so everything needed for further investigation is already included in the trusted CT logs.
Dimitris. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/a1c58e27-6690-4cb1-b79f-368f194e6c8a%40harica.gr.
