Are CAs required to do that in general?
CAs are not required to do that in general. Depending on the threat model, it’s not clear that the issuing CA is always better equipped than other people to monitor for misissuance via CT.
It would be excellent if third-party security researchers found ways of monitoring CT for various kinds of anomalies. Perhaps some of them are already doing this.
To detect key theft of the private key of an intermediate certificate, shouldn’t it be enough to do an OCSP request? As Let’s Encrypt didn’t issue the end-entity certificate, it can’t answer a valid OCSP response.
I thought OCSP simply checks for revocation. E.g. certificate not in revoked certificates list -> CA returns successful response. Not sure how OCSP could catch that?
If you ask about a certificate that the CA doesn’t know is valid, it should not return an affirmative response. I don’t remember which OCSP code Let’s Encrypt returns in this case, but I can try to test it later.
Wait, are OCSP responses signed by the same key that are supposedly “stolen”? Can’t those also be forged?
Are you talking about the theft of issuer keys or end-entity keys? [S]CT defends against the former.
I am talking about theft of root or intermediary keys.
Yes, but the attacker would have to get in the middle of the OCSP query between the researcher and the CA, which is a different capability from possessing the key.
E.g. that would require a global attack that would cost millions in itself to reliably do?
I don’t know how to quantify it; I just mean to say that there’s a potential mechanism suggested by @tdelmas to check for one attack, and that mechanism couldn’t be subverted without a different, additional attack of a different nature.