Comment 44 for bug 600779

The way I understand the issue, Firefox needs to trust the CA before they can pass that trust on. Err on the side of making sure the trust is well placed.

The bigger 'problem' is the nature of cert use. There are really 2 reasons to use a cert. One is to truly trust the source page, the other is to encrypt traffic on the wire. In a perfect world, the customer would know the difference--but we don't live in a perfect world. If I tell a casual user they can do their banking as long as the padlock in the browser is OK and the url says https--I'd better know *not just hope* that the browser did its homework in putting the cert in the trust path. Am I ready to suggest banking over chrome? Probably not. Firefox? Yes. IE--that's an entirely different set of questions :-)

If I'm running a bank with a few dozen certs, $500/cert is nothing. If I'm running a small computer science dept with a dozen production servers and 2 dozen test servers that all need certs I have a different business case. I may need to tell my users to go past an extra page of verification or (ugh!) use a browser that I don't trust to go to the bank with. Nothing against chrome--it just lives in a different world (assuming the statement made about chrome was correct--I didn't check it out myself).