Certificate Transparency
Reviewing the opening paragraphs of the chapter, recall that one of the major jobs of a CA is trust. Whether it is a public or a private CA, you have to trust a CA to verify that whoever is requesting a certificate is who they say they are. If this check fails, then anyone who wants to represent yourbank.com could request that certificate and pretend to be your bank! That would be disastrous in today's web-centric economy.
When this trust does fail, the various CAs, browser teams (Mozilla, Chrome, and Microsoft especially), and OS vendors (primarily Linux and Microsoft) will simply delist the offending CA from the various OS and browser-certificate stores. This essentially moves all of the certificates issued by that CA to an untrusted category, forcing all of those services to acquire certificates from elsewhere. This has happened a few times in the recent past.
DigiNotar was delisted after it was compromised, and the attackers got control of some...
