The most shocking aspect of this is how it reveals that Mozilla, Microsoft and Google do zero due diligence before adding a new root CA. Relying on independent researchers to find problems.
Is that still the case? Or is it just new root CAs get the appropriate amount of scrutiny, but a lot of existing CAs have been effectively grandfathered in because they were added two decades ago when folks weren't as diligent?
EDIT: elsewhere in the thread someone linked the bugzilla request for TrustCor to be added. I had assumed that was a long time ago, but it's "only" 7 years ago.
