[nailer]

I think the idea here is that they're not trying to prevent other CAs from issuing end certs, they're trying to only allow certs for their domain - from any CA on their short list - if the owner of the cert has been through Extended Validation.

[tialaramex]

Of course, this only works if the CA _actually_ makes sure they don't use the root you pinned for DV issuance. Just because it says "Ultra Great EV root" in the CN doesn't provide you that security, and it won't count as mis-issuance so long as the DV certificate doesn't have an EV policy OID baked into it.

If we'd asked in 2015, Symantec would probably have pointed us to CrossCert's CPS which said they only use certain Symantec roots. In fact Symantec had no mechanism in place enforcing that, CrossCert could and did issue from any Symantec root, whether it was on the list or not. So, if you chose a root thinking "I don't trust CrossCert, but they don't use this root so it's fine", oops, too bad.