With the recent addition of SCTs  in Let’s Encrypt certificates I noted something: The final certificates no longer get logged to Certificate Transparency.
Background: When using SCTs embedded in certs Let’s Encrypt first issues a so-called pre-certificate that gets submitted to logs and then the logs issue a signed statement (the SCT) that is finally included in the final certificate. It seems LE decided to only log the precertificate now and not the final cert.
I wanted to start a discussion about this, while I don’t think it’s a huge issue I believe it would be better if both the precert and the final cert would be logged. This would allow a better visibility into what’s going on in the CA ecosystem and may uncover bugs e.g. in the encoding of SCTs . See also the twitter discussion that started when I tweeted about this .
From what I understand the argument for not logging is that it overloads the logs with too many certs. But I believe this is not a very strong argument. As long as certificates are actually used on the public Internet it is very likely that they will be logged anyway, as for example the google crawler automatically logs them.
The delayed logging may also be be confusing for people using CT monitoring services like facebook or certspotter. People will get one notification when a cert is issued due to the precertificate and another one at a random point when the Google crawler spots their cert. I believe it would be less confusing to get a single notification for both the precert and the cert when a cert is issued.