> isn't this something that certificate transparency should help solve?
No. CT is meant to help find illegitimate server certificate issuance by participating CAs, but it cannot help the user-agent get past illegitimate server certs.
Besides, the whole point here is to make the user-agent fail to load the page, therefore the network operator's firewall's CA would not participate in CT (nor be a CAB member), and the network operator does not just not mind that the illegitimate server certificate is noticed, they want it noticed.
> CT is meant to help find illegitimate server certificate issuance by participating CAs, but it cannot help the user-agent get past illegitimate server certs.
That's the point though. I'd rather the user-agent tell me that the certificate is invalid. That's as far as it's currently going anyway when a certificate is, for example, self-signed.
> Besides, the whole point here is to make the user-agent fail to load the page,
That's exactly the minimum that should happen, yes. User-agent sees that the certificate isn't correctly issued for the domain and refuses to send the HTTP request (though SNI is already sent...)
> the network operator does not just not mind that the illegitimate server certificate is noticed, they want it noticed.
More than just noticed: the network operator wants the user to inappropriately act on the illegitimate server certificate.
No. CT is meant to help find illegitimate server certificate issuance by participating CAs, but it cannot help the user-agent get past illegitimate server certs.
Besides, the whole point here is to make the user-agent fail to load the page, therefore the network operator's firewall's CA would not participate in CT (nor be a CAB member), and the network operator does not just not mind that the illegitimate server certificate is noticed, they want it noticed.