[tptacek]

I'm literally just waking up right now and typing this from bed (ignore what that says about me as a person) so cut me some slack if this makes no sense and I reserve the right to come back and "clarify" what I was saying but: if Chromes see a Sectigo certificate for (say) Facebook.com with no SCTs, Google is going to notice.

[agwa]

Nope. If Chrome sees a certificate with no SCTs, it rejects the certificate but doesn't report it to Google. (Except possibly for telemetry.) Google doesn't care if CAs issue certificates without SCTs; in fact, some CAs routinely do so for customers which want to keep internal hostnames private. (e.g. https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpra...)

SCT auditing only takes place if a certificate has SCTs. SCT auditing checks to make sure that the log really published the certificate. If it didn't, then the bad SCT is reported to Google so the log can be kicked out of Chrome.

[tptacek]

Yep, I acknowledge this is the case. Thanks for the correction!