The extension shouldn't be present if it is empty. The incident report mentions that zlint and other linters didn't catch it. This seems like an easy mistake to make and worth adding a lint for.
Baseline Requirements 7.1.2.11.3 Signed Certificate Timestamp List references the above RFC so it could reasonably be a cabf_br lint as well, but that seems more indirect than needed to me.
In https://bugzilla.mozilla.org/show_bug.cgi?id=1852404, certificates were issues with an SCT extension that was empty.
The extension shouldn't be present if it is empty. The incident report mentions that zlint and other linters didn't catch it. This seems like an easy mistake to make and worth adding a lint for.
I believe this should be a rfc error lint per reference: https://datatracker.ietf.org/doc/html/rfc6962#section-3.3 which says
At least one SCT MUST be included.
Baseline Requirements
7.1.2.11.3 Signed Certificate Timestamp List
references the above RFC so it could reasonably be a cabf_br lint as well, but that seems more indirect than needed to me.