Comment 65 for bug 232340

(In reply to comment #64)
> > People don't want their users to get confused by the popup
> > dialog that the website they are accessing is not recognized!
>
> Not really... What was suggested is that some CA root certs ship "flagged" (i.e.
> not trusted out of the box). That way, if a user connects to a web server with
> an SSL cert signed by a "flagged" root cert, they will be prompted.

Indeed. The idea is that for the end user without much knowledge it is
good to have a wide set of root certs available shipped with the browser,
though I agree that they should not all be equally trusted.

> To a user it makes absolutely no difference: they see a popup either way
> (whether the root cert is included and flagged or not included at all). If they
> choose to "always trust it" in the latter case, the certificate will be stored
> in that user's certificate manager, which automatically will make it trusted (as
> far as I understand). From the point of view of PKI, this is *bad*, because
> ideally one is supposed to get the *root* certificate in their certificate
> manager, so that any certificates that are signed by that root cert will
> implicitly become trusted and won't have to be added in manually.

Which is why it should ship with it, though disabled at mozilla.org's discretion.