CAs have screwed up in the real world. And the result of those screw-ups were removal from root cert lists. And they closed down as a result. DigiNotar and WoSign both faced this calamity.
There was a time when root stores let anyone in who asked nicely. That time has long since passed however; the modern process is quite involved. See Mozilla's process here: https://wiki.mozilla.org/CA/Application_Process, and note that it calls out that it's expected to take two years to complete. It's not a pro forma policy: the Federal PKI [1] was not able to meet the requirements of inclusion into the root store because its rules for issuing certificates are not considered sufficient per modern browser requirements.
Quite frankly, I'd place far more trust in Mozilla's ability to audit CAs than my ability to do it myself, and I'd trust the average user's ability even less than myself. Arguing that CAs having to advertise to the user is a good idea for trust ignores the fact that unsavory companies openly abuse their users and yet still have high trust. (To say nothing of politicians...)
[1] This is the PKI system that's mandatory within the US government for internal certificates.
CAs have screwed up in the real world. And the result of those screw-ups were removal from root cert lists. And they closed down as a result. DigiNotar and WoSign both faced this calamity.
There was a time when root stores let anyone in who asked nicely. That time has long since passed however; the modern process is quite involved. See Mozilla's process here: https://wiki.mozilla.org/CA/Application_Process, and note that it calls out that it's expected to take two years to complete. It's not a pro forma policy: the Federal PKI [1] was not able to meet the requirements of inclusion into the root store because its rules for issuing certificates are not considered sufficient per modern browser requirements.
Quite frankly, I'd place far more trust in Mozilla's ability to audit CAs than my ability to do it myself, and I'd trust the average user's ability even less than myself. Arguing that CAs having to advertise to the user is a good idea for trust ignores the fact that unsavory companies openly abuse their users and yet still have high trust. (To say nothing of politicians...)
[1] This is the PKI system that's mandatory within the US government for internal certificates.