[tptacek]

How does that make sense? CT, in the sense we all understand it, would imply that all these enterprises would have to publish their internal hostnames --- names used only within their own networks by their own users --- to public logs.

[JoshTriplett]

The logs don't necessarily have to be public; they just have to be accessible to the browsers browsing sites using those certificates.

Requiring CT universally, even for "private" CAs, provides detailed evidence for several kinds of problems, such as various laptop vendors who have pre-installed MITMing proxies. It doesn't prevent those kinds of behaviors, but it makes denials less credible.

[aeijdenberg]

Should such a requirement (CT for private CAs) exist, wouldn't the said laptop vendor simply ship embedded SCTs in their fake certs signed by their own fake log key, also baked into Chrome? (that doesn't even need to correspond to a log, at least in the case of static SCT validation)

When a laptop vendor is building the device that's being shipped, I don't think it's practical for a browser vendor to be able to expect to win that arms race.

[JoshTriplett]

As mentioned in my previous comment:

> It doesn't prevent those kinds of behaviors, but it makes denials less credible.

Once you start doing more malicious modifications of the browser, it should be more obvious (to both you and anyone observing or doing forensics on your behavior) that you're doing something malicious.

[tptacek]

Companies running their own MITM policies for their own devices aren't doing something malicious. This is one of the older Internet trust ideological battles, and those claiming that browsers should add features to make it harder for companies to manage their own equipment have lost it, pretty conclusively. See also: pinning overrides.

[vtlynch]

There are a lot of reasons that CT does not make sense for private CAs, and there is no indication that Google will be requiring it any any point.