The Chrome team has announced that "[they]’ll be moving forward with [their] plan to require Certificate Transparency for all newly issued, publicly trusted certificates starting in April 2018."
It's July 2018 now. Is Certificate Transparency required now? What changed?
The two main questions I'm trying to find an answer to:
Will certificates from corporate (or "internal") CAs be rejected by Chrome?
This is already answered in the exact sentence you've cited: "... require Certificate Transparency for all newly issued, publicly trusted certificates ". Since internal CA are not publicly trusted no certificate transparency will be required for these.
Will every certificate observed by the browser now trigger a query to Google's CT server?
Certificate Transparency in Chrome describes the verification process as follows:
Chrome may check that an SCT has been honoured by the CT log that issued it, i.e. that the corresponding certificate is indeed published in that CT log. ... Chrome does this by sending a specially-crafted DNS query that requests an inclusion proof from the log. Using DNS allows the user to remain anonymous from the CT log's perspective and enables caching of inclusion proofs.
From my understanding it will check always if the required CT information are in the certificate. But I don't think that this means it will check always that these information are correct and are reflected in the CT logs. My guess is that it will check not always but often enough so that certificates with fake CT information get detected.
