Comment 27 for bug 310999

(In reply to comment #11)
> However, it is possible to effectively cause an individual subordinate CA
> to be treated by NSS as invalid, thereby causing all certs that were
> issued by (subordinate to) that CA to be treated as invalid. This can be
> done by downloading a replacement cert for that subordinate CA into one's
> browser, a replacement that is invalid but which effectively supersedes
> the existing valid subordinate CA cert.
<snip>
> There are pros and cons to this idea. Here are some additional considerations:
> - A replacement cert could be made available TODAY for download.
> - A replacement cert in the "built in" list of CA certs could not be
> deleted by the user.
> - A replacement cert in the "built in" list could be marked as trusted by
> the user, if the user wished to continue to trust certs issued by that CA.
> - A replacement cert is (in some sense) an (intentionally bad) forgery,
> and might receive a hostile reaction from the superior CA(s) who issued
> the cert(s) being replaced. (Robin: care to comment on that?)
Nelson,
   If we had a "rogue" CA cert then we may well have no objection to you issuing something that looked like it to assist in the removal of trust from it. Heck, we'd help you do it.

I guess my initial thoughts on doing that as a method of solving the problem are
a) that isn't the correct scope of fix for this problem. The CA isn't the problem, one RA is.
b) if the CA were the problem we'd revoke it.