Fraudulent *.google.com certificate issued

I assume the tax offices also distribute information to the public that needs to be correct to protect people's privacy; if someone made tax form booklets that told you to send the forms to an attacker (who would then send them on to the correct address, having copied them), they could steal all sorts of information. If these official mailings included the CA fingerprint where they tell you about the web site, it would be more secure than what Google does, because an attacker couldn't just hack into some insecure CA and get a fraudulent certificate that would act the way the booklet tells you to expect.