Fraudulent *.google.com certificate issued

The problem isn't that it doesn't _work_ but rather that it isn't as profitable, and there has so far been no incentive for a CA to stay safe -- no matter how negligent they are the money keeps flowing. Maybe this incident will be the start of something better but I doubt it.

I see people are already saying maybe just this one CA did a bad job. That shouldn't be reassuring. Vendors like Google, Red Hat, Microsoft ship these CA roots in their product. They have taken on the responsibility of determining which CAs are trustworthy, but their procedures for doing so are completely inadequate.

I don't think reform is realistic at this point, we must search for ways to replace the CA function, and I believe DNSSEC has great potential there.