Posted Feb 4, 2010 8:21 UTC (Thu) by tzafrir (subscriber, #11501)
Parent article: Mozilla and CNNIC
A somewhat unrelated comment:
Either the CNNIC CA misbehaves or it doesn't. In either case, the inclusion procedure Mozilla have applied verified very well that this certificate does indeed belong to them. Thus even if I don't trust them for signing certificates, I can trust Mozilla for verifying their identify.
I wonder if there's a point in shipping various certificates as "disabled by default". E.g. not all users may trust CNNIC or http://www.cacert.org/ . But it helps to have a well-verified root-CA of them delivered to you through a channel you trust (if you can't trust the browser you installed, other things are broken anyway).