The plan was to have criminals use the storefront — an online end-to-end encryption service called Tutanota — to allow authorities to collect intelligence about them.

Oh, yes, sorry, I had a brainfart. Certs don’t usually (or at all?) have more than one root cert.

A CA is not expected to prevent me from hosting rootkits. Doesn’t matter if my domain is rootkits-are.us or totallylegitandsafe.net. It’s their job to make sure I own those domains. Nothing more. For a DV cert at least.

I thought that was the goal. Not to make sure that the website is secure, but that the connection is secure, and that I’ve connected to the server that I expected.