All these threats exist
No. Mythical nonsense threats— things like the claims that supporting x509 signed payment requests will allow CA's to monitor transactions— which are
structurally impossible do not exist.
Just because something has some facility for checking some signing key was signed by another key and pretty printing a name doesn't magically give the root signer the ability to print money, monitor transactions, track users, or whatever other insipid nonsense people have convinced themselves of in their paranoia orgy. All it means is that they could impersonate that party in the pretty printing, but absent the existence of the facility _anyone_ could impersonate.
The CA infrastructure stinks and is proven compromised and alternatives should be invented but PKI is a decades old problem and has never been satisfactorily solved anywhere.
The fantastical, confused, and— in some cases— personally violent arguments made about the x509 signing in the payment protocol are beyond the pale, even in this sometimes cesspool of a forum. Having a real commitment to security means also being aggressive in refusing nonsense
insecurity claims. Sorting out the signal from the non-man-made noise is already very hard. There is no excuse for additional noise. Trolling secure systems with paranoia and FUD would be a fantastic counter-security move for a well funded attacker, and we must be robust against it.
If you've got an actual threat that people would be exposed to, please spell it out. Otherwise, cut the black-helicopter FUD. It's seriously demotivating and inevitably harmful to people's security.
Theymos, any chance you could contact Globalsign — cloudflare's CA partner— and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did— and if they did, to please list that certificate in their CRLs?
If it happened the way theymos described it's a waste of time, except maybe for getting the cert revoked.
If the DNS was changed it won't be a fraudulent request from their PoV.
It would be good to have some evidence about the system being abused in order to get improvements to the way things are done. More selfishly, it would be easier to argue for adding BCT to the browser cert pins with that kind of information. Perhaps not worth the time, but I thought I'd ask.