More a feature request than anything: I think it would be a good idea to have an optional whitelist for what sites a root cert is allowed to verify. A common situation would be a corporate root cert - if browser could be configured to only allowed to be a CA for sites within that company the users (employees in this case) could be sure that the company wasn't eavesdropping on their browsing to other websites, while allowing them to create and revoke certs for their own at will. (But I remember at least one news story recently where this would have helped the more general public when a CA started authorizing fake sites.)