We’re planning to submit certificates to CT logs, which we think is the most important part: being transparent and open about the certificates we issue, and allowing the public to research and analyze them. If we provide SCTs, it would be via OCSP, definitely not by X.509v3 extension. But we’re not yet sure if we’ll provide SCTs via OCSP at launch. In particular, necessary support for OCSP extensions seems to be absent from Golang. However, subscribers who want to provide SCTs with their certificates should be able to fetch them directly from the CT logs and provide them via TLS extension.
6 Likes