[Sovereign Keys] Evidence for claim - CA-signed certificate

[Ondrej Mikle]

Hi,

I'm a bit puzzled by the option of using CA-signed certificate to claim control
of DNS name. Despite having re-read the text couple of times, I think I'm not
understading it correctly.

According to my interpretation, owner of domain example.com can create
additional RSA/ECC sovereign key and obtain a CA-signed certificate that has the
key in SubjectPublicKeyInfo and domain's FQDN in CN/SAN.

Though this would create a loophole: if an attacker gains control of any CA (or
uses other tricks), he can issue himself a CA-certificate with key of his
choosing and use that certificate for claim of domain's ownership. What am I
missing?

Ondrej