Another comment mentioned [0]. Enterprise and people running a private CA can set "security.pki.certificate_transparency.disable_for_hosts" to disable CT for certain domains (plus all their subdomains).
I just hope they automatically disable it for non-public tlds, both from IANA and RFC 6762.
> Doesn't this effectively render corporate CAs useless?
All of the browsers ignore transparency for enterprise roots. To determine which is which, the list of actual public roots is stored separately in the CA database, listed in chrome://certificate-manager/crscerts for Chrome and listed as a "Builtin Object Token" in Firefox's Certificate Manager.
I just hope they automatically disable it for non-public tlds, both from IANA and RFC 6762.
[0] https://wiki.mozilla.org/SecurityEngineering/Certificate_Tra...