[agwa]

> The people responsible for running the root stores do. And when CAs screw up, they are nuked from orbit--this has happened a few times

The CAs that got the boot were detected because they issued certificates that were obviously invalid, for example for domains like example.com (Symantec), test.com (Certinomis), or domains that didn't even exist (Camerfirma).

A CA that issues an unauthorized certificate for some random domain won't be detected unless that domain's owner is monitoring CT because no one else knows if the certificate is authorized or not.

So please do monitor CT for your domains and don't just rely on root stores and security researchers to do so.