** A certificate used for to sign code should contain the name of the developer or distributor of the code, and by signing such a certificate a CA is vouching for the fact that the entity referenced in the certificate is the entity that requested the certificate.
* A CA is considered to be non-compliant with Mozilla's CA Certificate Policy if the CA
** knowingly issue issues certificates without the knowledge of the entities whose information is referenced in the certificates; or** knowingly issue issues certificates that appear to be intended for fraudulent use.
* Mozilla will consider removing a root certificate from NSS if
** The CA is issuing certificates in a manner that is non-compliant with Mozilla's CA Certificate Policy.
** The CA is issuing certificates that are being used in MitM attacks.
* SSL makes tampering visible to its victims. The certificate has to actually make it to the users client application before the user can decide to trust it.