|
|
|
|
|
|
by bawolff
481 days ago
|
|
|
> In theory it is good, but somehow it is also a big threat to privacy and security of your infrastructure. This is silly. Certificates have to be in CT logs regardless of if firefox valudates or not. Additionally this doesnt apply to private CAs, so internal infrastructure is probably not affected unless you are using public web pki on them. |
|
|
Certificate logging is not mandatory, none of the Root Programmes (agreements with typically browser vendors to recognise your CA roots) require logging. Now, in practice the browsers may reject certificates if they aren't presented a logging proof (in the certificate or stapled to it by the protocol, or some other means) but that's not a violation of your agreement with the vendor.
Most CAs (obviously including ISRG / Let's Encrypt) always log every certificate, but some either have programmes where you can pick or legacy systems which just don't do this. You can log such a certificate yourself, if you want, and then staple the receipts to your connection setup - but most people don't know how and don't want to learn.