I'm confused how intermediate CA's adds to the security of the PKI.
I realize the compromise of root CA key is catastrophic as it would've to be consequently purged from the trust store of every relaying party such as operating systems and browsers. For this reason root keys are kept offline to prevent the compromise.
But I don't understand how the compromise of the subordinate CA is not considered equally dangerous. Wouldn't the relaying party anchoring trust in the root CA still trust the rogue certificate signed by the compromised subordinate CA? Or is there something I'm missing about the X.509 specification or TLS protocol?
