[amenghra]

Couple dozen => it’s actually 50-ish, with a mix of private and government entities located all over the world.

The fact that the Spanish mint can mint (pun!) certificates for any domain is unfortunate.

Hopefully, any abuse would be noticed quickly and rights revoked.

It would maybe have made more sense for each country’s TLD to have one or more associated CA (with the ability to delegate trust among friendly countries if desired).

https://wiki.mozilla.org/CA/Included_Certificates

[wkat4242]

Yes I never understood why the scope of a CA was not previously declared as part of their CA certificate. The purpose is (email, website etc) but not the possible domains. I'm not very happy that the countless Chinese CAs included in Firefox can sign any valid domain I use locally. They should be limited to anything .cn only.

At least they seem to have kicked out the Russian ones now. But it's weird that such an important decision lies with arbitrary companies like OS and browser developers. On some platforms (Android) it's not even possible to add to the system CA list without root (only the user one which apps can choose to ignore)