public key infrastructure – Why not signing a certificate with more than one Certification Authority


A student asked me a good question today when I was explaining the concept of certificates chain.

As I say “if a CA is compromised by an attacker he can emit false certificates for the entities the CA is allowed to sign (e.g all the *.fr)”,
he asked me : “why not signing each certificate by more than one CA, let’s say 3, so the compromise of only one CA is not sufficient to break the trust and the likeliness to have three CA compromised is far far less than only one.”

I think the question is good. Even if it’s not currently permitted by the x509 standard, it remains a valid criticism of the current model.
I don’t see why the proposed model would not be better but maybe I miss something ?

To be effective this way will need that the 3 signatures were mandatory or that specific DNS record mentions that the certificates for this domain need 3 signatures to be valids.