Regarding @jsha’s announcement athttps://community.letsencrypt.org/t/signed-certificate-timestamps-embedded-in-certificates/57187/2
I looked at newly issued certificates in CT and didn’t see the SCTs themselves but rather a “CT Precertificate Poison” extension. This makes sense because what’s submitted to the CT logs with this technology is not the certificate itself but rather the precertificate.
When I visited a site with a newly-issued certificate, I confirmed that it did have the 220.127.116.11.4.1.1118.104.22.168 OID. So, it superficially looks like this is working smoothly for a randomly-chosen certificate (though I didn’t attempt to validate the contents of the extension). Unfortunately, Chromium didn’t provide an apparent way to confirm that the SCT is valid—I would have thought that feature would already have been rolled out even before the SCT enforcement took place.