|
|
|
|
|
|
by jchw
775 days ago
|
|
|
It would be completely possible to do it that way, but doing it this way ensures that at no point does certificate issuance become opaque and impossible to scrutinize. We want to ensure that CAs follow certain rules, and CT logs are one way to do this. For example, a CA should not issue a certificate with a forged "not before" time. There are certainly many more cases like this. Public CT logs mean that the property of transparent certificate issuance extends to the entire Internet, which is good. If you want private certs, you can use a private CA and deploy it to the machines in your domain. Totally reasonable alternative in my opinion. |
|
|