Kathleen Wilson has found a root certificate that is signed, but no one is willing to own up to: Recommend Removing RSA Security 1024 V3 root certificate authority.
This has far reaching consequences, as quoted here:
If I had access to the machine of a Netscape NSS developer who was about to update the root store, and I wanted to slip in a cert I had the private key for, I’d add another entry to the store which was very similar to an existing one but with one obvious difference, so that people would assume they were a set.
Perhaps this is far-fetched and paranoid. But the fact that RSA know nothing whatsoever about this root is rather concerning.
This cert is also included in OS X. Break out your tin foil hats.
