Thanks for your answers.
Sure. If I’d go for that path I’d have to live with this hopefully time-limited limitation. Any news on Apple’s progress on supporting that feature?
Yes, I pointed that limitation to a critical extension in my opening post. Anything else is obviously dangerous.
What’s the reason for this step? If my CA issues bad certificates for whichever reason, they can only be for my own domain, so that should be solely my problem, shouldn’t it?
So it’s just a contractual/legal topic then? For which reason? I can already issue certificates for random domains, they are just not valid for one or the other reason, so nobody should trust them. If I’d be allowed to create certificates for my domain, why should that require more scrutiny if I can only shoot myself into the foot?
Are there other technical topics than the Apple etc. feature support topic? Perhaps browser developers planning to enforce certificates must be on a CT chain which might not want to trust my –non-audited– Signing CA’s chain update posts?
Furthermore, this feature could be combined with other features, namely OCSP Must Staple RFC 7633 - X.509v3 Transport Layer Security (TLS) Feature Extension for the Signing CA certificate: Just as with disclosed keys for host certificates, OCSP Stapling could manage to get rid of detected misuse in relatively short time.
So, other than ‘no sufficient support for it in browsers’ and rules that have not been updated to reflect the possibilities of the freedom if correctly used, and perhaps business topics of even more angry CAs losing money, I only see benefits of this approach: I would have full freedom of my domain by creating certificates as I like, would stop eating up public Signing CA resources for each certificate, and if something goes wrong it’s just my fault.