Re: The whole mechanism sucks
Yep. Every CA is a single point of failure.
So it's time to upgrade the Web to use distributed trust authorities. No single point of failure, the attacker has to compromise more than one independent trust authority to impersonate a site.
That's a central pillar of the M-Pin protocol (currently an IETF draft) and Milagro project (in incubation at Apache). Get on board and secure the web. And (by the way) secure the IoT!