** knowingly issues certificates without the knowledge of the entities whose information is referenced in the certificates; or
** knowingly issues certificates that appear to be intended for fraudulent use.
* Mozilla will consider removing a root certificate from NSS if** The the CA is issuing certificates in a manner that is non-compliant with Mozilla's CA Certificate Policy.** The (As per the previous point, a CA that is issuing certificates that are being used in MitM attacksis non-compliant with Mozilla's CA Certificate Policy.)
* SSL makes tampering visible to its victims. The certificate has to actually make it to the users client application before the user can decide to trust it.