I'm not a Windows user, but I have to wonder if there's a way to use the Chrome trust store on Windows/Edge. I can't imagine trusting Microsoft's list.
> Microsoft seems to be casual about trusting CAs
Are you aware of the big hack on Netherlands govt-approved CA? Read about: DigiNotar. My point: That was a widely trusted CA that was hacked after the root CA cert was added to most browsers / OSes trust stores. So would you say that MSFT was "casual" about trusting DigiNotar root CA? How about Mozilla Firefox? I doubt it.
A challenge for Microsoft is that they aren't transparent in their inclusion decisions, so we can only speculate why they chose to trust this CA. What gives you confidence that Microsoft is doing careful vetting?
In stark contrast, Mozilla publicly and extensively documented why they didn't trust this CA [2].
I'm sure that Microsoft carefully ensure they're paid for all CA additions.
Given their monopoly there is no incentive for vetting.
I don't see any reproducible builds for Microsoft Edge. Therefore, your statement is an assumption and nothing more. We can not trust Microsoft more because they are more proprietary.
I don't think those two things have anything to do with each other. Living in Redmond for my entire life has mostly shown me that MS owns one of the best and most lucrative sales orgs and sales channels in the world. That sales channel means they can sell to governments better than nearly anyone one the planet, no matter what their security practices are like.
Are you? Why? For Mozilla the vetting process takes place in public, that's one purpose of m.d.s.policy so we can see what is or is not done and draw our own conclusions.
Each of the proprietary trust stores has an opaque process which unless you're a CA applicant you don't even know what they're asking for, much less what (if anything) they do with it.
These are for-profit companies, and this is a cost centre. The cheapest possible thing they could do is piggy back entirely on the public Mozilla process (which of course for this CA would mean rejecting)
The next cheapest option would be to allow senior management to override Mozilla's decisions for, you know, commercial reasons.
And yes, it would certainly be possible for them to have their own teams every bit as effective as the public process but entirely made up of employees and contractors. Weirdly though, although it's easy to run into people who worked for say, the Windows OS team, or XBox team, or Azure team, you don't run into ex-Microsoft opaque CA process people. One reason might be that they're all career professionals, never leave, never get downsized, maybe there are dozens of them. But the more likely reason is they do not exist.
For these government CAs my expectation is that they're a sort of quid pro quo and (wrongly) not seen as a security problem.