Daniel Stenberg wrote:
> Since the Mozilla project already have a set routine and an established
> system to deal with this subject, I'm leaning towards replacing our cacert
> bundle with the one we extraxt and convert from the Mozilla project. If it
> allows us, license-wise.

I wouldn't want to decide on that either and if you accidently include
a cert that turns out to be badly handled, you'll probably get blamed
(a little) as well. On the other hand, why would one trust VeriSign
more than any other CA? They have quite a stack of corpses in their
cellar...if you catch my drift. After all, it's the users responsibility
to decide which one he trusts and whom he doesn't consider trustworthy.
 
> Then again, cacert.org doesn't seem to be in the Mozilla cacert either...!

Sure, but they're somewhat elitist with respect to adding CAs. For
example, there's also DFN-PCA <url:http://www.dfn-pca.de/> which is
mostly used by German universities. I certainly trust them as least much
as any of the "well-known" (American) CAs. The problem is that if Joe
Average gets a popup saying "blah blah, do you want to install" he either
gets suspicious and leaves or gets used to accepting whatever the browser
or similar application suggests. And, of course, if a CA isn't part of
such standard sets, it's much more difficult for them to sell any certs.

Maybe it's best if you provide 2 or 3 different sets i.e., one set which
is equivalent to Mozilla's set, another one with additional known-to-be-good
CAs and perhaps a third one which simply includes all known CAs. Perhaps
you want to open a poll or the like to see which CAs are wanted the most.

-- 
Christian