Comment by plagiat0r
7 days ago
All I'm saying is that publishing final certificate is not required for the process, so just assuming it will be there is premature. User may end up putting precert on his https server and find the hard way.
Happy to see LE publish both, but others do not. Here is an example: https://crt.sh/?id=17293798014
Your won't find final certificate from digicert/globalsign in the CT logs.
Unless the owner publish it himself, API is opened for submission I think for everybody.
The comment I made was explicit that this works for Let's Encrypt, you replied that it doesn't, apparently without checking the logs because if you'd glanced at them it's like 1:1 pre-certificates to actual certificates from Let's Encrypt and I explained that you're wrong.
I'm not disputing that there could be a world where you're correct, but, it's not this world, which is why I even made that comment. That doesn't make relying on the logs for this a brilliant idea, it's just an observation that in fact it could work.
Note that we only do best-effort submission of final certs, so it's not actually guaranteed that they end up being logged.