The security of most Internet applications relies on underlying Public Key Infrastructures (PKIs) and thus on an ecosystem of Certification Authorities (CAs). The pool of PKIs responsible for the issuance and the maintenance of SSL certificates, called the Web PKI, have grown extremely large and complex. Herein, each CA is a single point of failure, leading to an attack surface, the size of which is hardly assessable. This paper approaches the issue if and how the attack surface can be reduced in order to minimize the risk of relying on a malicious certificate.