Weve recently experienced yet another case of a root certificate authority (CA from now on) losing control of its own certificates. This whole mess stems, once again, from both a governance and a technical problem. Web browsers implement several techniques to check the certificates revocation status, but errors in the procedure are rarely considered hard failures. The fundamental problem not addressed by either of these protocols is that we should stop trusting, albeit just temporarily, an CA (antant CA) has compromised the entire trust on all certificates.”]
Source: https://securelist.com/trust-but-verify-when-cas-fall-short/57630/