They could mint certificates, for / about any name. But, those certificates won't work in popular applications unless the certificates include proof of logging.
So to be effective this means a hypothetical bad actor (maybe the US government or anybody else) issues bogus certificates, then either logs them - making a permanent record for everybody to see, or also subverts two or more logs, so that they issue bogus proofs.
This is a very expensive one shot attack on whatever the target would be, I guess it's not stupider than "Let's bomb Iran for no good reason" but it's up there.
For the vast majority of cases, would anyone notice these malicious certificates being created and logged?
I don't subscribe for my personal domains, because who cares, but when I was in charge of certificates for something important I subscribed to notifications from several providers to make sure I didn't miss anything.
I would like to think at least all the high profile destinations have someone watching.
loading story #48467506
loading story #48467833