Different Timestamps from different Log servers

I in community post i found it in multiple posts that lets encrypt CA submit precert to Log server and receive SCT which it embeds into the final cert and again submit it to Log server

Lets understand it by a live example : -
Precert : - https://crt.sh/?id=2661737250

|2020-04-03 08:03:25 UTC | 275084726 | Cloudflare | https://ct.cloudflare.com/logs/nimbus2020|
|2020-04-03 08:03:25 UTC | 460285901 | Google | https://ct.googleapis.com/logs/xenon2020|

Final cert :- https://crt.sh/?id=2661738285

|2020-04-03 08:03:25 UTC | 475197205 | Google | https://ct.googleapis.com/logs/argon2020|
|2020-04-03 08:03:25 UTC | 460286022 | Google | https://ct.googleapis.com/logs/xenon2020|
|2020-04-06 00:03:45 UTC | 1091178038 | Google | https://ct.googleapis.com/rocketeer|
|2020-04-06 02:08:33 UTC | 1027005246 | Google | https://ct.googleapis.com/pilot|

precert is submitted to one google ( xenon ) and one non google ( cloudflare ) CT Log Server and the replied SCT is embeded in final cert as certi extension

Now as far as i read about the CT logging in certificates having embedded SCT domain server ( the certificate owner ) has no rule in submitting the final certifcate to the CT log server so this means Lets Encrypt CA is submitting final leaf certificate to 4 different Log servers to 4 Different google Log servers that too with 3 days delay ??

Let's Encrypt simultaneously submits the precertificate to a bunch of logs; once it gets enough SCTs, it cancels any pending HTTP requests. So in practice precertificates are successfully submitted to a somewhat variable number of logs.

Nobody has to log the final certificates. Not you, Let's Encrypt, or anyone else. But anyone can.

Let's Encrypt's practice has been to submit them to a smaller number of logs (about 2 of Argon, Xenon and Oak; it's changed over time).

Someone seems to go around submitting pretty much every actively used certificate to Pilot and Rocketeer. I don't think it's Let's Encrypt. I think it might be Googlebot, but I'm not sure.

Edit: Let's Encrypt may have a batch job to retry submitting final certs later if it fails the first time. So they might log some certificates after the moment of issuance. But that shouldn't be what's happening here.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.