The following link is to a bog post by Cloudflare – and is a really good writeup covering the severe problems challenging anyone that wants to use secure certificates, and the issues in keeping them secure. Or rather how to keep the CA’s secure end honest.
A fascinating read
https://blog.cloudflare.com/introducing-certificate-transparency-and-nimbus/