Comment 181 for bug 232340

To me this problem could perhaps be solved in a completely new and enlightened way.

Rather than having all this banter: 'is this CA worthy', 'who decides the worthiness', 'this CA is better than that one'. What seems quite obvious is that:
a) Mozilla does not want to tarnish it's name by adding untrustworthy CA's
b) New CA's who may (or may not) be worthy need to be trusted, ultimately, by one body.
c) Root CA's that are not listed as part of a product (eg Mozilla) as pretty much as good as a self-signed certificate, to the standard end-user. (they get prompted with lots of dialog boxes they must click OK in order to continue)

To me it seems obvious that Mozilla could add an automatic lookup in it's browser for unknown Root CAs. This lookup would be hosted on Mozilla's own site. In essence, it would operate like spamcop, or similar, where the community (and not individuals) has a say in who is trustworthy. A mandatory timeout (like a DNS) for a root cert would ensure that root CAs can also be blacklisted.

Here's a basic 'mud map' of how a system might work:
i) end user browses to a page with a site cert that requires root cert for XYZ.
ii) If the browser doesn't have XYZ, it contacts Mozilla for the cert.
iii) Mozilla responds with the cert with 2 extra items: how 'trustworthy' this cert is (like a spam level filter) and how often this root should be checked agaist the mozilla database (like a DNS lookup).
iv) If the cert isn't recognised, Mozilla can respond in VERY terse language suggesting that continuing may be really really bad (which is all most end user's want to know about).
v) Mozilla would also need to introduce a 'report a bad SSL site'. Clicking on this would report back to mozilla, the site cert and the root cert of the offending site. It's database would then be updated and the 'spam level'/trustworthyness indicatator may be adjusted accordingly.
vi) Root CA's would contact mozilla when they wish to announce themselves. Mozilla could then analyse requests for sites using this new root and then decide if it should be listed or not...and using what trusworthyness.

voila! problem solved. This system has the benefit of:
a) Allowing new roots (eg CA Cert) to become registered without needing to wait for another version
b) Blacklist Root Certs if they prove to be completely untrustworthy
c) Warn end users of highly suspicious site certs
d) Mozilla doesn't need to relay upon 3rd parties for arbitrage. They themselves decide an initial trustworthyness (probably just one level above 'blacklisted') and the community then decides for itself.

To me, this is would be the open community -style solution that we should expect from Mozilla.

Hope you like it.