[mmalone]

Also, the Web PKI model has no real granular authorization when it comes to which CA can issue for which domain. A trusted CA can issue for any domain. So if you TOFU in my CA to connect to my website you’re also allowing me to issue for google.com.

Obviously this is all addressable in theory, but now you’d need some kinda policy system baked in pretty much everywhere.

[im3w1l]

No I meant like this:

Your website hands me a cert. I have never seen it before so I make sure CA says it's legit. From then on I keep using that same cert to connect to you, and CA no longer matters.

[jlgaddis]

I haven't checked/verified recently but from your comment I'm guessing that the major browsers still don't support (i.e., enforce) the Name Constraints extension?

[corty]

There are CAA records in DNS, but those are far too weak. The CAs are supposed to check them at issue-time. To be useful, the clients would have to check them at acceptance-time.

[jlgaddis]

That wouldn't quite work the way you think it would...

The CAA record is useful only at the time a certificate is issued (signed) by a CA.

A client has no way to know what the CAA record was at the time the certificate was issued -- a browser cannot ("at acceptance-time") use the current value of the CAA record to determine whether a certificate was properly issued or not.