Comment by adolph

> certificate authority logs, which are actively monitored by vulnerability scanners

That sounds like a large kick-me sign taped to every new service. Reading how certificate transparency (CT) works leads me to think that there was a missed opportunity to publish hashes to the logs instead of the actual certificate data. That way a browser performing a certificate check can verify in CT, but a spammer can't monitor CT for new domains.

https://certificate.transparency.dev/howctworks/