> while it does not protect against a compromised CA
Although it does prove that a CA has been compromised. That significantly raises the kind of "compromise" that the CA would need to have suffered.
...
It may confuse people that you have chosen a name which affiliates your proposal with something ("Expect-CT") which was recently deprecated.
I also suggest simplifying it to merely require method (1). In other words: "non-browser TLS clients should require an embedded SCT (RFC 9162 section 7.1.2)".
Requiring that a non-browser TLS client implement OCSP is a pretty big burden. Since OCSP uses HTTP this imposes a "must speak HTTP" mandate on all TLS clients! HTTP has become an incredibly complex protocol over the years. It would also make me very uneasy if all of my TLS client software had to have the ability to reach out and contact arbitrary servers.
Perhaps even: "newly-introduced TLS-based protocols should require that clients reject server certificates which lack an embedded SCT, but the client need not validate the SCT".
> while it does not protect against a compromised CA
Although it does prove that a CA has been compromised. That significantly raises the kind of "compromise" that the CA would need to have suffered.
...
It may confuse people that you have chosen a name which affiliates your proposal with something ("Expect-CT") which was recently deprecated.
I also suggest simplifying it to merely require method (1). In other words: "non-browser TLS clients should require an embedded SCT (RFC 9162 section 7.1.2)".
https://datatracker.ietf.org/doc/html/rfc9162#section-7.1.2
Requiring that a non-browser TLS client implement OCSP is a pretty big burden. Since OCSP uses HTTP this imposes a "must speak HTTP" mandate on all TLS clients! HTTP has become an incredibly complex protocol over the years. It would also make me very uneasy if all of my TLS client software had to have the ability to reach out and contact arbitrary servers.
Perhaps even: "newly-introduced TLS-based protocols should require that clients reject server certificates which lack an embedded SCT, but the client need not validate the SCT".