
⚠️ This is a work in progress. While the CT functionality works, this should not be yet used in production.
CompactLog demonstrates that the same Merkle tree can be efficiently served through both RFC 6962 and Static CT APIs from a single implementation. This challenges the narrative that RFC 6962 is fundamentally unscalable or that separate architectures are necessary.
For our analysis of the broader Certificate Transparency ecosystem and the push toward Static CT, see why Static CT is considered harmful.
A dual-API Certificate Transparency (CT) log implementation. CompactLog serves the same Merkle tree through both the RFC 6962 Certificate Transparency API and the Static CT API (C2SP draft), built on SlateDB to explore how LSM-tree storage can address traditional CT log scalability challenges.
View real-time performance metrics and system health:
CompactLog delivers exceptional performance compared to newer Static CT API-only implementations, while uniquely providing both RFC 6962 and Static CT APIs from the same server. Recent benchmarks demonstrate significant advantages over dedicated static-only CT servers:

Key Performance Highlights: - 2.5-4x lower latency compared to Sunlight (static-only) - 4-5x lower latency compared to Cloudflare's Azul (static-only) - Linear scalability with connection count, maintaining consistent performance under load - All while serving both RFC 6962 and Static CT APIs simultaneously

Reliability & Throughput: - Zero errors across all connection levels (50, 1000, 3000 concurrent connections) - 17x higher throughput than Cloudflare Azul at 1000 connections - 1.5x higher throughput than Sunlight at 3000 connections
These benchmarks demonstrate that CompactLog's dual-API architecture doesn't compromise performance. By leveraging efficient batching and LSM-tree storage, it delivers better performance than specialized static-only implementations while providing the flexibility of both APIs.
This implementation provides a complete Certificate Transparency log that:
CompactLog achieves exceptional performance through its batching strategy and efficient storage design:

Sustained write throughput of 3-4K requests/second across different certificate chain types

Real-time system metrics showing tree growth, SCT issuance success rate, and zero storage queue backlog
CompactLog makes three fundamental design choices that differentiate it from other CT implementations:
Many CT log implementations have a Merge Delay (MD) of minutes to hours, where submitted certificates aren't yet included in the Merkle tree. This exists because:
CompactLog eliminates a MD by reversing this order - certificates are incorporated before SCTs are issued:
Submission 1 ─┐
Submission 2 ─┼─ Wait up to 500ms ─→ Batch tree update ─→ All SCTs returned
Submission 3 ─┘ └── Certificates already incorporated
The 500ms delay is submission latency, not a merge delay. Once SCTs are issued, certificates are already in the tree.

Write request patterns showing effective batching - spikes at the beginning represent batch formation
The batching system:

P95 and P99 latencies showing consistent sub-second response times across all operation types
The latency profile demonstrates:
Traditional CT implementations:
Submit cert → Issue SCT immediately → [MMD period] → Incorporate in tree
CompactLog:
Submit cert → [Batch delay ≤500ms] → Incorporate in tree → Issue SCT
Result: Traditional logs have MMD measured in minutes/hours; CompactLog has an MMD of 0 seconds.
CompactLog versions nodes only at STH publication boundaries:
Example: Publishing STHs every 1000 certificates reduces versioned storage overhead by 1000x.
# Core data
leaf:{index} → certificate/precert data
vnode:{node}@{version} → node hash (version = STH boundary)
nver:{node} → latest version of node
# Operational state
meta → current tree size
committed_size → last STH boundary
hash:{leaf_hash} → tree index
cert_sct:{cert_hash} → SCT data
# Certificate storage (deduplication)
cert:{cert_hash} → certificate binary data
entry:{index} → deduplicated log entry

Consistent ~67% deduplication rate for certificate chains, significantly reducing storage requirements
CompactLog stores certificate chains using content-addressable storage:
cert:{hash} keysThe DeduplicatedLogEntry structure contains:
Every operation maintains strict consistency:
The Static CT API was designed to serve immutable tiles from simple storage (like CDNs), but implementations still face fundamental challenges:
Many implementations require or heavily depend on external databases for: - Deduplication tracking and caching - Write coordination between multiple processes - Sequencing and state management - Staging and crash recovery mechanisms
CompactLog uses a single LSM-tree database (SlateDB) that stores its data directly on cloud object storage (S3, Azure Blob) or POSIX filesystem. The same database handles:
While CompactLog generates tiles dynamically rather than storing pre-computed files, its underlying storage consists entirely of immutable objects in cloud storage or append-only files on disk. All coordination, deduplication, and sequencing happen through this single storage layer without requiring additional databases or complex write pipelines.
This design trades direct CDN serving of pre-generated tiles for a much simpler write path and operational model. The LSM-tree structure naturally fits CT's workload pattern - primarily appending new certificates while efficiently serving historical tree states at any STH boundary - all while leveraging the same cloud object storage that would typically host static tiles.
Create Config.toml or let the system generate defaults:
[server]
bind_addr = "0.0.0.0:8080"
[storage]
provider = "local" # "aws", "azure", or "local"
[storage.local]
path = "/tmp/ct-log-storage"
[keys]
private_key_path = "keys/private_key.pem"
public_key_path = "keys/public_key.pem"
For cloud storage, configure provider-specific credentials in the respective sections.
# Start with default local configuration
cargo run --release
# With debug logging
RUST_LOG=debug cargo run --release
The system automatically generates ECDSA P-256 keys and default configuration if not present.
CompactLog exposes both RFC 6962 and Static CT API endpoints on the same server:
POST /ct/v1/add-chain - Submit certificate chainPOST /ct/v1/add-pre-chain - Submit pre-certificate chain GET /ct/v1/get-sth - Get signed tree headGET /ct/v1/get-entries - Get log entriesGET /ct/v1/get-proof-by-hash - Get inclusion proof by hashGET /ct/v1/get-entry-and-proof - Get entry and inclusion proofGET /ct/v1/get-sth-consistency - Get consistency proofGET /ct/v1/get-roots - Get accepted root certificatesGET /checkpoint - Get current checkpoint (signed note format)GET /tile/{level}/{index} - Get Merkle tree tileGET /tile/data/{index} - Get data tile (gzip compressed)GET /issuer/{fingerprint} - Get issuer certificate by SHA-256 fingerprintBoth APIs serve the exact same Merkle tree data, just in different formats suited to their respective use cases.
$ claude mcp add compact_log \
-- python -m otcore.mcp_server <graph>