I wonder how vetting of Certificate Authorities will happen. I suppose that if your OS has a sufficient number of trusted CAs, then any browser can rely on those.
But consider this, from Debian's ca-certificates package:
---
This package includes PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections.
It includes, among others, certificate authorities used by the Debian infrastructure and those shipped with Mozilla's browsers.
Please note that Debian can neither confirm nor deny whether the certificate authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. Full responsibility to assess them belongs to the local system administrator.
---
So as long as Mozilla allows OSes, and presumably other browser forks, to benefit from their CA vetting and monitoring activities ...
There really is a lot that does, or should, go into browser development and maintenance.
But consider this, from Debian's ca-certificates package:
---
This package includes PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections.
It includes, among others, certificate authorities used by the Debian infrastructure and those shipped with Mozilla's browsers.
Please note that Debian can neither confirm nor deny whether the certificate authorities whose certificates are included in this package have in any way been audited for trustworthiness or RFC 3647 compliance. Full responsibility to assess them belongs to the local system administrator.
---
So as long as Mozilla allows OSes, and presumably other browser forks, to benefit from their CA vetting and monitoring activities ...
There really is a lot that does, or should, go into browser development and maintenance.