Re: Bye bye CNNIC
I'm surprised - there doesn't seem to be a Firefox extension for whitelisting CA certs, like a NoScript for PKI chains. I wonder if there's a technical reason for that (haven't looked at the Firefox add-on interface in a long time), or if it's simply that no one has written one.
It'd be annoying for the first little while, but I'm willing to be that pretty soon I'd have whitelisted all the CA certs I legitimately expect to see until the next update. And when a non-whitelisted root or intermediary comes up, the extension could do quick CRL and OCSP checks.
Maybe a project for my next holiday.