[pfg]

I don't recall anything like that having happened before, even in the DigiNotar case, where the CA was thoroughly compromised. The keys must be kept in HSMs, so even with a fully compromised issuance system, the keys themselves are typically safe - which isn't much of a relief at that point.

There were a couple of cases where CAs like Trustwave or CNNIC signed intermediate certificates that were capable of issuing publicly-trusted certificates for organizations who lacked the required audits. They were typically intended for corporate/internal MitM proxies, though there was no technical enforcement in place for this, and they could've been used for any MitM attack. The recent investigations into Symantec's CA showed similar, but slightly more complex cases.

[schoen]

I just reviewed Chapter 4 of Ivan Ristić's book and the only incidents that might be considered compromises on this level were DigiNotar and NICCA, which both led to revocation of intermediates. However, the book doesn't explain technically what the exact nature of the compromises was, so I'm not sure either of them involved an actual compromise of the private key material itself.

There were many other incidents involving problems with behavior of PKI participants, and I'm sure reading this chapter will give people a sense that the ability to remove trust from intermediate CAs is an important ability.