Author here, hi! Was just venting last night, but that's a very good point, I'll update it later with your correction :)

You should make it about CT logs. I believe you need to compromise at least three of them.

	▲	mark_round 3 minutes ago \| parent \| next [-]
		That was what I was thinking of (but worded it badly in the middle of my rant!) If I wanted to intercept all your traffic to any external endpoint without detection I would have to compromise the exact CA that signed your certificates each time, because it would be a clear sign of concern if e.g. Comodo started issuing certificates for Google. Although of course as long as a CA is in my trust bundle then the traffic could be intercepted, it's just that the CT logs would make it very clear that something bad had happened.
	▲	tialaramex an hour ago \| parent \| prev [-]
		The whole point of the logs is that they're tamper-evident. If you think the certificate you've seen wasn't logged you can show proof. If you think the logs tell you something different from everybody else you can prove that too. It is striking that we don't see that. We reliably see people saying "obviously" the Mossad or the NSA are snooping but they haven't shown any evidence that there's tampering