[jchw]

CAs are held to a strict security standard. Nobody is forcing any entity to act as a CA - if you don’t want that kind of responsibility, you don’t have to be a CA. But if this stuff isn’t taken seriously, the padlock icon means absolutely nothing.

[Dayshine]

My question was why this "regulatory agency" (without statutory powers) believes it is completely acceptable to cause direct harm without any discretion on the size of the risk.

The CA is irrelevant, they're just a middle-man.

[pvg]

What of the much greater potential harm of allowing non-compliant CA's? A CA's 'customers' are not just the people it sold certs to but also everybody on the internet who uses a browser. One way to read this incident is as a story of this inherent divided loyalty.