The CT Logs were a solution to the problem of miss-issuance being essentially undetectable, and shorter certificate lifetimes were the solution to the frustrating fail-open behavior of the revocation mechanism[s]. The other advantage is that OCSP was a privacy nightmare, as it required broadcasting every site you visited just on the off chance a cert was revoked. Unsurprisingly there's quite an incentive to monetize those queries.<p>The specific problem in this post is that the log servers are occasionally down, which is obviously suboptimal, but was also a predicted and understood problem, which is why every client is expected to require that any certificate that they validate is signed by multiple (I think >= 3? but that was also years ago) unrelated log services.<p>Client validation is essentially are these log tokens valid - revocation checking a la OCSP is still essentially useless in practice, and I think some vendors monitor for revocations and construct their own revocation lists for all their CAs that their clients pull. The notable thing point being that their clients aren't pulling per domain, they're getting the full list of all revocations. I assume actual implementations do some kind of partial/delta updates (you could imagine "entire DB" and "last N hours" or something)
Logs are there because any person at any CA can generate a cert for your domain and we want to know when that happens. We should fix that.<p>A new standard could dictate that registrars and CAs have to work together. Specifically, customer uploads a public key to a registrar, and a CA has to use registrar's public key to validate a CSR. This makes it impossible to create a valid certificate without the domain owner's key - and not whoever took over the domain record for the moment that the CA validated. The browser should validate that the cert was signed using the key from the registrar.<p>In this way even a rogue CA cert can't work on a client. Only a cert created by the domain owner will be valid. So only one CA and one key can create a valid cert.
With specs like WebBundle, sites could self-sign the log content, in a way where other people could securely mirror/cache another sites log resources in a way that's still clear & secure.