* A hierarchical structure of a single root with intermediate certs (subroots) is preferred. The single top-level root's public certificate is supplied for Mozilla's root list; the subroots are not. See [[CA:Recommendations_for_Roots]]
* CAs should revoke certificates with private keys that are known to be compromised, or for which verification of subscriber information is known to be suspect.
==== Notes for future work ====