Exactly, or maybe just offering the CA more money to produce a fake certificate. Not just that, but should a CA be compromised, either but hacking or political pressures or other, they have no insentive to disclose that fact. In fact they have every reason not to.
The solution would be to establish trust with maybe a half dozen CAs in different jurisdictions, or at least that would be a solution to some of those problems, but it's cost prohibitive with the current business model.
This isn't a problem with the technology...
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds