Comment 139 for bug 232340

> If a goal is to drive CAs to be more secure, one mechanism would be to make the
> default be to check CRLs, and not include root CAs unless they maintain CRL
> servers with good availability.

I personally use CAcert and they actually have a very good CRL system. Couldn't understand from the previous posts why the bogus certificate wasn't just revoked...