Problem
If a couple of people use the SnakeOil-Inc. keypair from OpenSSL to generate their CAcert certificate, than we practically issue certificates for Snake Oil Inc, that anyone can use.
Solutions
CAcert maintains copies of CSR´s and certificate. Verify that the keyhash isn't the same as any other keyhash that's been issued, and make sure that "known-compromised" keys aren't used. It might be nice for CAs to start putting out the certificates which have been revoked, as well as the fact of revocation, as part of their CRL publication processes... but that would also imply that CAs trust each other.)
Good ideas.
Ok, so we have a couple of known compromised key sources, and a "should not duplicate" keyspace.
Regarding other CA´s, and their revocation lists: We can´t trust keyhashes, unless we see the compromised private keys themselves. We can only generate issues detected through their revocation lists as a alert for our admins, but we must not do automatic actions because of them.
Yes, a known-compromised keylist would be a good thing. We must fill that with the existing available private keys, to make sure that they are really a problem.
We should start a spider that searches for compromised keys on several networks. (Google, EDonkey, ...)
We should use standard software to generate dummy keys, and feed them into the compromised list.
But we have to be careful with one thing: One user/organisation is allowed to create multiple certificates certificates with the same private key behind. And also ISPs should have that possibility for the vhost servers.