Netscape, AOL, mozilla, or anyone else but me.) There is a certain amount of liability associated with putting a root CA cert into a browser and making it trusted. Users put their trust into any and all web sites that manage to get the lock icon locked without overriding security. If a "rogue" CA's cert is put into their browser, their trust may be abused, and they may have (in some countries) cause against the supplier of their browser software.
Recall that mozilla is supposed to be a generic implementation that other parties take and customize and re-release under their own name. Examples of these customized versions of mozilla include Netscape 7 and (if I'm not mistaken) Beonex. The versions of mozilla distributed with various Linux distributions may also be examples. I don't know if those are customized or not. Any party who produces their own mozilla-derivative browser product is free to add new trusted root CA certs to their derivative product. NSS even includes software tools to facilitate the process. (These are the same tools used to add new CA certs into mozilla's NSS source base.) A CA cert that is added to mozilla's source base becomes a part of all browser products that are derived from that source base, unless the developers of the derivative products take the steps to remove them. Therefore, it seems to me that it is in the mutual interests of all parties who develop derivative products that the root CAs in the common mozilla source base be quite trustworthy, enough so that no producer of a mozilla derivative should need to remove any CA certs from their product. I'd guess that the money Netscape collects for putting a root CA cert into mozilla is used to attempt to ascertain that the CA is truely legitimate, and not a rogue CA, and is still alive and well. In some sense, the mere fact that the CA is willing to pay this money is a measure of their legitimacy, I think. (Few rogue CAs are willing to pay anything.) So, IMO, those who wish to distribute browsers that contain new CA certs should produce their own mozilla-derivative browser products, and add the CA certs to their own products. For one's own individual and personal use, it's not necessary to change any code or produce any derivative product, of course, because mozilla allows any user to add his own trusted CA certs. -- Nelson Bolyard (speaking only for myself)
