> Certificate Transparency is even better, it allows you to see all certificates these CAs issued.
What OP suggested would potentially prevented a rogue behavior from a hacked CA to cause any damage. With Certificate Transparency you would just have a nice log about it afterwards.
> This also means the site operator can monitor for certificates issued for their site and notice if a CA they aren't using issues one.
All they could do is to just turn off the site and report the incident. It would still take hours before that certificate would be revoked and that information propagated to browsers. I'm also fairly confident 99.5% of website operators do not watch any cert monitors.
What OP suggested would potentially prevented a rogue behavior from a hacked CA to cause any damage. With Certificate Transparency you would just have a nice log about it afterwards.
> This also means the site operator can monitor for certificates issued for their site and notice if a CA they aren't using issues one.
All they could do is to just turn off the site and report the incident. It would still take hours before that certificate would be revoked and that information propagated to browsers. I'm also fairly confident 99.5% of website operators do not watch any cert monitors.