Yes, but then that bogus certificate is in the wild. Once once someone has a copy of a bogus certificate, then they can prove that that CA is corrupt. That CA loses its business model. What I am saying does not prevent one-off attacks, but all it takes is one person to capture a bad certificate to discredit a CA. Hence it would not work in a universal censorship scheme as Google is combating. Maybe I am still overlooking something, and I suppose China could just SSL proxy the whole country, which would defeat all of this.