That's not what you described though, because then you wouldn't be able to revoke it once you notice it. You can't revoke a certificate without its private key. (Then it's only the CA who could if you convince them of the misissuance. Which probably means proving current access right now and asking the CA to revoke it.)
In any case if someone can become the thing you're trying to validate, be it access to an IP address or some DNS zone, you're kinda out-of-luck anyways. Though WebPKI has CT, which will give you some insight into it, unlike everything else out there.
Yeah I thought you could issue an exclusive certificate that revokes all others, guess I am wrong.
> In any case if someone can become the thing you're trying to validate
That's kind of the thing that certificate validation is supposed to solve, an attacker posing as you. That's why the article says it's useless in theory. In practice MITM at validation is harder than in use, but it does have issues. That's why Let's Encrypt wasn't the default model.
> That's kind of the thing that certificate validation is supposed to solve, an attacker posing as you [...]
No, not really. Certificates get issued to hostnames and less frequently, IP addresses. If someone has full control over that resource then what's the actual difference between "you" and "attacker"? Should they run a malware scan too that your server is not compromised?
It's not a thing a CA can solve if you've completely lost control of your infrastructure.
