That's very much a libertarian style nuclear option to remove a CA from the root store. Why can't the industry work out a fine to pay an ICANN-like org for root CAs when it happens?
A large percent of phishing sites are hacked wordpress sites.
So if a CA offers a certificate to a legitimate wordpress site, which then proceeds to let itself get hacked and host a phishing page, that CA now has to pay a fine?
So if a CA offers a certificate to a legitimate wordpress site, which then proceeds to let itself get hacked and host a phishing page, that CA now has to pay a fine?