Seems to me there is going to be a growing demand for greater accountability in CAs. Does the protocol support requiring a certificate to be signed by two (or more) trusted CAs? Then even if one CA is hacked or spoofed into signing a bogus certificate, hopefully the other one hasn't been.
The line between how a browser or even a TLS library validates a certificate and what the protocol requires is blurry (you can do more than the TLS protocol itself needs you to do), but, no, you can't sign a cert with 2 CAs.
You could, however, have two certificates issued by different CAs signing the same public key. I'm not sure if the protocol requires the additional certificates to be part of the same chain, though.
