Why don't browsers maintain, for each CA, a list of TLDs that they are allowed to certify?
I doubt many will care if CNNIC is happy to issue bogus certificates in the .cn domain. But I don't
see why they, or any of the other mysterious entities that we all trust without thinking about it,
should be allowed to sign certificates for .com, .co.uk, .fr, .mil, and other domains.