Comment by regecks

> Could be more general: finding subdomains by watching CT logs.

Yep. Can use crt.sh for this on a per domain level, I also wrote ausdomainledger.net as an experiment to index all subdomains in the .au TLD, querying the CT logs directly, which was a bunch of fun.

> How to "hide" private subdomains?

Symantec provides the option of label redaction (using the '?' symbol) for CT precerts with the certificates they issue. For example: https://crt.sh/?q=?.amazon.com.au . However I'm pretty sure its not supported by the CT RFC ...

Otherwise, I'd say wildcards.

Replacing the CA PKI with something else is very drastic and if possible, will probably take a very long time ...