I would agree; there's really no reason that all major browsers couldn't ship with a complete list of all acceptable CA=TRUE certificates, intermediate or otherwise.

Unlikely and would cause problems. Parent was suggesting that they should be cleared separately without having to update browsers. I like the certificate transparency idea better though, and I wonder if it is possible to refuse new certs via public endpoints but allow certs to be manually added to the logs and SCTs to be manually issued, in case going that far is needed.

What problems, precisely? Sure, it would prevent current CAs from selling sub-CA certificates without coordinating with browser vendors. That's the point. What's a legitimate use case for doing so?

Yes, but the point is that this "coordinating" can be done without users having to update browsers themselves.

All the major browsers have automatic updates these days. And if the coordination doesn't include a browser whitelist, it has no teeth.

I just edited my comment to mention the certificate transparency solution.

Presumably there's some reason they aren't just don't this already. I mean, I sure hope so otherwise it sounds like a rather big flaw for no reason.