I've always felt that the browser vendor + CA model was bad but this is next level embarrassing. How is the very root of trust in the internet so... untrustworthy?

Revocation seems really nasty to deal with.

The whole chain of trust model is that your browser vouches for an authority that vouches for a website that everything is legit.

You can't just ducktape on an idea like that cert for "www.xyz" is totally legit unless I takesies-backies'd my vouch at some point, so just double-check.

If you want that sort of "continuous" trust scheme, then what makes more sense is something like having short-lived certificates.