Embedded SCT distribution dashboard

[Filippo Valsorda]

Hello humans and critters,

I could not find an easily accessible data source for the distribution among logs of embedded SCTs, so I built a dashboard based on Censys research access and exe.dev, based on an idea by Matthew McPherrin.

https://sctdata.geomys.org 

Every day, the system fetches counts for cert.labels = "trusted" and cert.labels = "leaf" with a cert.parsed.validity_period.not_before range in the previous day, and buckets by cert.parsed.extensions.signed_certificate_timestamps.log_id. It also runs the same queries filtered by cert.parsed.issuer.organization to each of the most popular CAs.

This data is a better indicator of log usage among CAs than log growth rates, because the latter are affected by cross-posting and full certificate posting policies.

There are a few nice insights in the data. First, if you untick Group series you can clearly see the shift from 2026h1 to 2026h2 a couple days ago.

You can also clearly see when Let's Encrypt moved to prefer Static CT logs on 2026-03-27, going from 

to

where neon green is Let's Encrypt, purple is Geomys, and gold is IPng.

Unfortunately, Let's Encrypt appears to be the only CA uniformly spreading load among Usable logs. Other CAs mostly use Google, DigiCert, and Sectigo logs. 

In particular, among the larger CAs

• GTS uses a mix of RFC 6962 logs
• Sectigo uses Google Argon and Sectigo Tiger
• GoDaddy uses Google Argon, the two DigiCert logs, and Cloudflare Nimbus
• DigiCert uses Google and DigiCert logs.
  

It would be nice to hear from these CAs if they encountered any issues with Static CT logs, and from the community on whether better load balancing is something we should try to encourage more.

The whole system was built by Claude Opus 4.6 in the Shelley harness, and I have not seen the code, so I am not releasing it as vetting it properly would take longer than it took to produce the dashboard. Improvement suggestions are welcome.

Alla prossima,

Filippo