[jake_the_third]

This is literally also how cert signing works for tls. Unsurprisingly miss-issued certs have been far from common.

This model can work. It's just that microsoft is being sloppy.

[swiftcoder]

Mis-issued certs are common enough that Google et al had to force Symantec out of the cert issuing business. It's a model that only works with a monopolistic cartel gatekeeping the ability to issue certs (which is basically Apple's role in this scenario).