Comment 86 for bug 232340

Rouben - in response to "Before we discuss CACert (or any other CA, be
they "open/free" or not), the Mozilla Foundation needs to come up with a policy
for reviewing CAs such as CACert."

If that were really Mozilla's policy, then in the interest of fairness all CAs
should be stripped from the Mozilla browsers. It seems like incumbents are
being held to a lower standard than open and free CAs. Indeed, Verisign issued
a code signing key for Microsoft to a hacker, and little happened. I'm sure
that if CACert.org did such a thing it would be grounds to never speak to them
again.

I did not see any obvious discussion related to this particular issue in the
newsgroup, although I did see some discussion about the general policy that is
being set up - from December.

I think the issue is that the status quo is being treated as good enough for
now. A revised policy is proposed, after a month or two another revision is
posted, maybe in six months it will be done, and some board will vote on it and
suggest a few changes, maybe in another 6-9 months we'll be before the board
again, etc.

If the interim solution were to not put any certs at all in the browser pending
the creation of a policy, you can bet that the policy would be done in a month.
Companies like Verisign would probably be screaming restraint of trade and
threatening to sue.

So, perhaps the issue is that the free CAs just aren't noisy enough to worry
about?

(I'm not really suggesting that we should really strip out the root CAs that
are present now. However, it really doesn't look like this situation is going
to ever get resolved unless it is treated like a priority.)