[robtoo]

All vendors want market share in the Netherlands, so a few Dutch CAs get on the list; and they all want market share in China so the Chinese Ministry of Information gets on the list.

No browser wants to be the one which doesn't work with someone, somewhere's bank, so once you're on one list, you tend to get added to all of them; and it becomes nigh-on impossible for marketing reasons to remove anyone from the list ever.

15 years later, browsers have 80 CAs and 200 certificates built-in.

[caf]

...and what compounds the problem is that CAs are trusted on an all-or-nothing basis - you don't have a concept of "this CA is trusted only for .nl domains, and this other CA is trusted only for .cn and .hk domains".

[jamesgeck0]

Chrome plugins are too limited, but could this functionality be implemented via a Firefox extension?