...if their activities are discovered. And then the attacker just gets another certificate under a different name, or steals somebody else's certificate. Ignoring, of course, that revocation is totally broken.
It cannot simultaneously be easy for anyone to get a certificate and hard for an attacker to get a certificate.
It cannot simultaneously be easy for anyone to get a certificate and hard for an attacker to get a certificate.