Comment 77 for bug 232340

Those who want this root certificate now can always go to the fist link listed
in comment #19 to obtain it. They will then take full responsibility for their
own actions rather than depending upon Mozilla.

In the meantime, it is appropriate for Mozilla to evaluate the practices of
CAcert. After all, Mozilla is trying to maintain the trust its users have in
its products. That trust includes relying on root certificates delivered with
those products.

Without doing my own validation of root certificates, I want to have some
confidence that a secure Web site indeed belongs to who it claims to belong.
That means the certificate authority (owner of the root certificate) exercises
some demonstrated care issuing site certificates.

By "demonstrated care", I mean demonstrated to some third party (e.g., an
examination conducted by the Mozilla Foundation) and not merely a self-serving
assertion. This is the whole point of the policy proposed under bug 233453.
The alternative -- accepting proposed certificates without any evaluation --
could open Mozilla to phishers and hackers and destroy all trust.

By the way (reference comment #75), the Mozilla Foundation is a corporation
(incorporated in California) and is thus a legal entity. CAcert is an
association (based in Australia); I don't know its legal status.