Lovely words, of course in the case of Mozilla we already know its wholly worthless. Disregard whatever they write to the contrary.

Case in point: https://bugzilla.mozilla.org/show_bug.cgi?id=724929

Why do you single out Mozilla? Trustwave is still trusted by Microsoft and Google too...

IIRC, it's that event that led to a policy revision, what they did at the time (and by they I mean everyone, Mozilla included) was applying their policy of the moment.

It was one of the event that led to what happened to CCNIC...

I didn't single them out, Mozilla singled themselves out of the others. They insist on being the only free browser out there, and when push comes to shove, they collapse.

Did you miss the discussion in the bug report? It was clear TrustWave was in violation of the policy, even at the time. If you issue a CA=YES to a 3rd party that then goes on MITMing Google, I can't imagine there exists a policy out there you are not in violation of.

And what did they do? Nothing. Instead of being the free-spirit out there, they just follow whatever Google does. Even now, they are only following Googles lead. They have the unique opportunity that their crazy compat layer affords in having their own root certificate store across all platforms, and they do nothing. It's a disgrace.

I understand. But the fact that I need to trust the vendor and the CAs is a broken concept.

At some point, as an individual user, you have to trust someone: the browser's vendor, the OS vendor, the hardware vendor, the component's vendor, the factory/distribution chain. For now, trusting the browser seems relatively inevitable. Trusting CAs might not be the only alternative for long, however: https://namecoin.info/ (as one of a few possible but not quite ready for prime time solutions).

You will probably have to trust the browser vendor and the OS vendor somewhat for the foreseeable future, though. In theory, open source can help up to the hardware layer, but even that only really matters if you assume a large enough number of people are auditing every piece of code you run in practice, as well as every tool used to build it. User-auditable hardware seems unlikely any time soon, even when you assume the kind of user that reads diff patches before updating their browser install... a demographics composed of about three guys at Mozilla who are also Gentoo users.

Yet it works with way over five nines confidence. Despite all its faults, the system works decently.

I would myself prefer DANE being used, because it's IMHO sounder technically, but we'll possibly have the same issue with registrars doing a sloppy job than we have with CA, so not sure that it would actually be a win...

DANE has its own issues though: by itself, even if you're using DNSSEC with it (as you ought to be), you're essentially shifting trust from CAs to registry operators, your DNS service provider, and whoever operates the root zone.