NSS

Comment 30 for bug 310999

Philipp Kern (pkern) wrote :

Well, I would like to defer to Mozilla's judgement here, as it comes from their truststore. On the other hand we do not have the possibility, to my knowledge, to add an intermediate CA to the package with some negative trust value. So we would need to prune Comodo completely.

As stated CertStar is a contracted RA of Comodo, so they have their own domain validation in place, in constrast to normal resellers. I also see the problem that we would cut off thousands of valid certificates, those which were issued by Comodo instead of, say, PositiveSSL (if this is the RA CertStar operates).