Comment 138 for bug 232340

This is starting to drift a little off the topic of cacert, but the MS certificate wasn't resolved by issuing a new root (to my knowledge), but rather by hard-coding the bad certificate ID into IE so that it would be automatically rejected by the browser.

If anything this highlights a key weakness in the whole certificate process - revocation. The problem is that many/most browsers do not check CRLs by default, and many CAs do not properly support this (I used to get numerous errors when checking CRLs due to CRL servers having problems).

If a goal is to drive CAs to be more secure, one mechanism would be to make the default be to check CRLs, and not include root CAs unless they maintain CRL servers with good availability.