If a CA "forgets" to add a certificate to the CT log, they need a really good ex...

		namibj on Dec 17, 2019 \| parent \| context \| favorite \| on: Giving every IPv6 address a name If a CA "forgets" to add a certificate to the CT log, they need a really good excuse to not get distrusted immediately. That's part of the reasoning: malicious certs are almost useless if you don't present them to a client. And if that client manages to exfiltrate the cert...

You have a very good point.