[agwa]

That is not true. CAs are not required to log their certificates. Instead, Chrome and Safari by default do not accept certificates unless they are accompanied by a signed receipt from a recognized log. If you don't need your certificate to work in a default-configured Chrome or Safari there is no need for your certificate to be logged.

Source: I work in this space

[tptacek]

Here what you really mean is "if your certificates will never touch Chrome", because it's not just that Chrome won't accept them, but that Chrome's SCT auditing is part of a surveillance system for certificate misissuance.

[agwa]

I'm not sure what you mean by "surveillance system for certificate misissuance". Chrome's SCT auditing has nothing to do with detecting certificate misissuance; just misbehaving logs.

[tptacek]

I'm literally just waking up right now and typing this from bed (ignore what that says about me as a person) so cut me some slack if this makes no sense and I reserve the right to come back and "clarify" what I was saying but: if Chromes see a Sectigo certificate for (say) Facebook.com with no SCTs, Google is going to notice.

[agwa]

Nope. If Chrome sees a certificate with no SCTs, it rejects the certificate but doesn't report it to Google. (Except possibly for telemetry.) Google doesn't care if CAs issue certificates without SCTs; in fact, some CAs routinely do so for customers which want to keep internal hostnames private. (e.g. https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpra...)

SCT auditing only takes place if a certificate has SCTs. SCT auditing checks to make sure that the log really published the certificate. If it didn't, then the bad SCT is reported to Google so the log can be kicked out of Chrome.

[tptacek]

Yep, I acknowledge this is the case. Thanks for the correction!