Now that I think about this more, I'm wondering how the certificate transparency program can be protected. The certificate information would have to be submitted out-of-band to be sure that it hasn't been tampered with, right? It wouldn't make sense to communicate about certificate security using infrastructure that depends on the same technology.

I was thinking about this because I was wondering if you could use secure dns to store certificate fingerprints. That doesn't make sense though because secure dns also depends on PKI.