[fpgeek]

3) (mostly Mozilla-specific) CAs need Mozilla far more than Mozilla needs CAs. Mozilla can always ensure that at least one major browser trusts their certificate, after all.