Is there a big use case for permanent CT logs of long-expired certificate?

benjiro · 2025-12-15T23:36:44 1765841804

Tons of information for research, hackers, you name it ... It shows a history of domains, you can find hidden subdomains, still active, revoked etc ...

Do not forget that we had insane long certificates not that long ago.

The main issue is that currently you can not easily revoke certs, so your almost forced to keep a history of certs, and when one has been revoked in the CT logs.

In theory, if everybody is forced to change certs every 47 days, sure, you can invalidated them and permanently remove them. But it requires a ton of automatization on the user side. There is still way too much software that relies on a single year or multi year certificated that is manually added to it. Its also why the fadeout to 47 days, is over a 4 year time periode.

And it still does not change the massive increased in requests to check validation, that hits CT logs providers.

Dylan16807 · 2025-12-16T01:18:06 1765847886

> Tons of information for research, hackers, you name it ... It shows a history of domains, you can find hidden subdomains, still active, revoked etc ...

You can store that kind of information in a lot less space. It doesn't need to be duplicated with each renewal.

> The main issue is that currently you can not easily revoke certs, so your almost forced to keep a history of certs, and when one has been revoked in the CT logs.

This is based on the number of active certificates, which has almost no connection with how long they last.

> There is still way too much software that relies on a single year or multi year certificated that is manually added to it.

Hopefully less and less going forward.

> And it still does not change the massive increased in requests to check validation, that hits CT logs providers.

I'm not really sure how that works but yeah someone needs to pay for that.