Trust of a CA doesn't have to be binary - it could be stochastic.
Let's say that when a browser wishes to revoke a CA certificate, it chooses a timeframe for a "deprecation period". Before the deprecation period, the CA is fully trusted. After the deprecation period, it has been completely eliminated.
During the deprecation period, a browser will possibly pop up an error page rather than accepting the certificate. The probability of this happening increases as the deprecation period advances, slowly "turning up the pain" (likely exponentially or quadratically, for slow initial growth).
A reload will clear the error and load the page (or perhaps go through the probability again). Obviously it would be good if the site were notified through a header that this was happening. And user feedback will accomplish the same thing in a cruder manner.
Proactive sites would move off before the deprecation period even began. Less connected sites would get user reports and move off early in the period. Negligent sites would see their users migrate to different sites as their functionality got ever worse.
Would that not just encourage your average user to click through the security warnings and ignore them, potentially numbing them to other more important warnings?
Users aren't the ones who should feel the pain of a rogue CA, we need the CA to feel the pain somehow.
Perhaps it'd be better as a series of progressive informational pages than described in terms of certificate rejection. The central idea is that the site will become gradually less usable.
If a CA is being revoked, that's pretty close to the maximum pain they'll feel. But suddenly revoking a CA will cause users the most pain - I'm trying to make that gradual. A competent site would react in the first week when a few users got a mild warning, get a certificate from a new CA, then hopefully complain to the original CA demanding a refund and whatnot.
Let's say that when a browser wishes to revoke a CA certificate, it chooses a timeframe for a "deprecation period". Before the deprecation period, the CA is fully trusted. After the deprecation period, it has been completely eliminated.
During the deprecation period, a browser will possibly pop up an error page rather than accepting the certificate. The probability of this happening increases as the deprecation period advances, slowly "turning up the pain" (likely exponentially or quadratically, for slow initial growth).
A reload will clear the error and load the page (or perhaps go through the probability again). Obviously it would be good if the site were notified through a header that this was happening. And user feedback will accomplish the same thing in a cruder manner.
Proactive sites would move off before the deprecation period even began. Less connected sites would get user reports and move off early in the period. Negligent sites would see their users migrate to different sites as their functionality got ever worse.