We have a pre-certificate standard already, its called a CSR. It might not have all the fields we need yet. But I am very unhappy with CAs signing anything that looks like a certificate but is not a certificate. There must be no possible way that CT could compromise the existing WebPKI