It’s been mandatory since 2018. Browsers will reject certificates which have not been publicly logged.
Perhaps next you’ll wonder if it’s as simple as compromising a CA and a CT log? Nope, as browsers require cryptographic attestations from multiple CT logs. If you’re using Chrome, one of those logs has to be the one operated by Google.
Perhaps next you’ll wonder if it’s as simple as compromising a CA and a CT log? Nope, as browsers require cryptographic attestations from multiple CT logs. If you’re using Chrome, one of those logs has to be the one operated by Google.
Also such collusion will soon be defeated by SCT auditing https://www.hardenize.com/blog/certificate-transparency-sct-...
https://docs.google.com/document/d/16G-Q7iN3kB46GSW5b-sfH5MO...