Yes, yes, but that doesn't prevent. In theory it can only detect, after the fact, and only if someone bothers to investigate. And even then how do I prove that this was an NSA issued certificate and not issued to the true website? Hard one. Also, CTs have been pretty leaky so far. Either they were not enforced for all certificates, or the CT logs were run by the CAs themselves (fox guarding the henhouse) who simply don't have to put the abusive certs into the log (Let's Encrypt did this, which makes me suspicious of them). Browser enforcement is the right place to do it, but researching Chrome's CT policy refers to a deeper CT Log Policy which basically opens up the logs to as many log providers as wish to exist. The NSA probably has their own log.

And in any case, it's completely the wrong solution. When mistakes are made, people shouldn't double-down and triple-down with more crap. X.500 publication of public keys turned into publishing signed documents just in case X.500 data was corrupted, signed by the X.500 administrator. That made sense. But taking X.509 certificates out of an X.500 context was a mistake, a misunderstanding. Even worse when Verisign popped up and claimed they were the authority for the entire Earth. Adding OCSP was another pile on top, because the entire point of certificates is proof WITHOUT a trusted online service. If you have a trusted online service, you don't need certificates+OSCP, you can just give the public key and be done with it. The technology stack being deeper and more complex is IMHO not an improvement, it simply makes it more difficult for normal people (and even security researchers) to comprehend all the ways it can be used against people.

We have precident for tearing down the giant stack of kludges and starting over: QUIC. QUIC dared to dispense with the core protocol of the internet, TCP.