Maybe we should store, for each rev and cert, a timestamp of when it was written to the db? This would be purely local information, but it could be useful for forensics ("we know something happened, but have no idea what!"), and auditing ("crud, Debbie's laptop was stolen, has our (still trusted) server received any certs from her since then?").
Would also be useful for UI -- e.g., "what did I just get in that last pull?" is a very interesting query to be able to make.