It's late and I maybe haven't been super constructive here, but I think when you try to write out the actual assumptions behind CT as the whole solution, you realize you've got something that mostly works assuming assuming assuming - and worse, we'll never do any better, because those assumptions are fundamental technical limits. DNSSec may be ugly but at least its problems (like validators failing open) are just deployment issues, not fundamental technical issues.

I'm sick and tired of using technologies that provide security or correctness subject to a long list of preconditions and ways for folks to tell me I'm using it wrong. To build secure systems, we need technology that provides correct security without so much asterisks and fine print.