From a TLS client perspective, a log could be in 3 states:
- Recognized / trusted: All SCTs from that log are accepted.
- Frozen: SCTs up to a certain point in time are accepted.
- Unknown / distrusted: No SCTs from that log are accepted.
In both states (1) and (2) TLS clients must audit the log in the same way, to ensure the log is operating correctly and each issued SCT corresponds to an entry in the log's Merkle tree (particularly in the 2nd case - to detect back-dating of SCTs).
Auditing the log can be done against the log itself or against a mirror operated by a third-party. It is already the case in Chrome that SCTs from logs that have been effectively decommissioned are still accepted.
Distrusting a log, once misbehaviour was detected, is more nuanced: A naive approach could be white-listing all log entries that are publicly known (for example, are in a mirror) and removing the log's key from the TLS client - so existing certificates+SCTs from that log are still valid (and CT-compliant), but the log's key cannot be misused.
Eran