It's pretty clear and well-written, so I think its going to be worth reading to explain why the system is wrong for as long as our system is a list of permanently trusted CA's. There's no reason I should be trusting all those CA's to sign for anything on the internet forever.
No CA is permanently trusted. CA certificates expire like any other SSL certificate, and most of the CA certificates that my browser trusts will expire in about 10 years. In addition, browser vendors like Mozilla routinely make decisions to add and delete CA certificates.
I think literally forever is an exaggeration (as it pretty much always is). But the point is that you have to trust them for longer than you would like to, because once they've signed the certificates for a huge chunk of the internet, you can't take them back out without breaking a ton of stuff. Meanwhile as long as they remain trusted they can keep signing new certificates and making it that much harder to ever remove them.
The ones that get permanently removed are generally because they've already gone out of business.
