> a cert labeled "MD5 Collisions Inc (http://www.phreedom.org/md5)" [...] > Yes, it's expired, so it poses no real threat, but why is the Mozilla > Project shipping Firefox with that cert? It just causes FUD. This is an override for the forged cert, with all trust bits removed. That way should the demo cert make it into the wild users will get a hard failure rather than an overridable one. We worried that many users are trained to accept "expired" certs as fairly normal and not notice it was an expired intermediate rather than the end cert. For more information please see https://bugzilla.mozilla.org/show_bug.cgi?id=471715 -Dan Veditz
