If you want to be a CA, you need to get Microsoft and Mozilla (among others) to include you in their list. I can't find Microsoft's policy, but Mozilla's CA Certificate Policy is here: http://www.mozilla.org/projects/security/certs/policy/
There are operational requirements and management attestations that must be made such as "WebTrust Principles and Criteria for Certification Authorities".
WebTrust is an accounting entity; it's just a process formalism that allows companies like KPMG to "audit" CAs. I went down that rabbit hole and found the WebTrust standards document:
The technical material in these documents is about FIPS compliance for hardware crypto, key size, and backup/restore; in other words, the exact same stuff you'd read in a Common Criteria document, utterly divorced from actual operational or code security. Compare to the new PCI-DSS standard: on paper, it is actually harder to process an individual VISA card than it is to run a CA.
Neither document contains the letters "M-D-5" or requires serial numbers to be randomized. However, the majority of CAs do randomize serial numbers, suggesting a best practice that simply isn't included in the industry's CA certification standard.
The link you provided to the Bugzilla report on adding GeoTrust/RapidSSL is almost offensive; it reads: "we got audited by KPMG, here's our address", "ok, fill out this document", "ok, we'll add you to the next release".
I'm surprised and a bit skeptical that every CA (except for one) randomizes serial numbers without it being published in a standard or guidance document somewhere. Best practice usually has something worse than a (n - 1) distribution.
was the "one" in those articles? I didn't see. Anyway, who do you trust to buy certs from? I need to get a new one soon and would like recommendations.
There are operational requirements and management attestations that must be made such as "WebTrust Principles and Criteria for Certification Authorities".