But why not do both? It's unreasonable that there is a mountain of CAs out there that never sign certs for .us but they still have the capability to do so. The more CAs that can sign a cert for my domain, the more chances that someone screws up. At the very least I agree with limiting CAs to a subset of TLDs for protection from hypothetical things like the Turkish government demanding that a Turkish CA signs a cert for facebook.com. If it was a countrywide attack pinning the valid cert wouldn't be very effective if the browser has never been to your site before.
Because then you're stuck using that country's CAs, and so you can't pin the root or intermediate certs without giving them the keys. You could pin your cert, but that has other disadvantages.
