Check out sigsum.org for a simpler design with a stronger threat model.

As for building a decentralized append-only log, that would complicate the design and the threat model quite a bit. In particular it would make proofs of inclusion and consistency much less efficient.