Why Certificate Transparency Exists
Problem: A rogue or compromised CA can issue a valid cert for amazon.com.
The cert passes chain validation — nothing in TLS catches it.
Real example: DigiNotar (2011) issued fraudulent certs for Google.com,
used to MITM Iranian users. Not caught until users reported unusual browser behavior.
CT solution: All publicly-trusted CA certs must be logged to public, append-only
CT logs. The log returns a signed proof of inclusion. Browsers require this proof.
Any misissued cert is now publicly visible and auditable.