Don't have time to comment on anything else, but the Quovadis thing was basically a function of people who didn't understand the difference between the Firefox root list (kept in a DLL) and the Windows/IE root list (kept in the registry). They kept trying to delete the root cert in Firefox, saw that this had no effect on the registry (d'oh!), and then leapt to conclusions that there was some kind of trojan running.
As to why Quovadis got singled out, I think it was simply that they'd never heard of a CA named "Quovadis", and they thought it sounded more like what someone would name a trojan than "Geotrust" or "VeriSign" :-)
Posted by Frank Hecker at July 28, 2006 10:32 PMI think, it is not the browser's job to decide which root certificate to trust. It's the user's job.
Of course, as long as CAs keep financing browser development, security takes a back seat.
http://groups.google.com/group/mozilla.dev.security/msg/0040e1d23f638661
Posted by Frank response in depth! at August 1, 2006 02:35 PMPrivsoft may have blown it, but someone sees this as an attractive attack vector!
http://isc.sans.org/diary.php?compare=1&storyid=1543&isc=b05ac907ada17fb718bb9e3d02dab2f6
Posted by ~ at August 7, 2006 03:27 PM