Comment by schoen
11 years ago
We will look for ways to mitigate the risk of misissuing for any reason, including because someone tries to coerce us to misissue. One approach to this that's interesting is Certificate Transparency.
http://www.certificate-transparency.org/
There's also HPKP, TACK, and DANE, plus the prospect of having more distributed cert scans producing databases of all the publicly visible certs that people are encountering on the web.
DANE is the way to go forward. Have your TLD CA sign your domain key and sign your web certificates with your own key.
Only one "root CA" to trust per TLD, and it's free if you own a TLD that supports DNSSEC (most do these days).
Now we just need the DANE check built into the browser without any plugins that require installation.