That, and it demonstrates how bad the default SSL trust model is. If the gmail.com certificate came from Thawte yesterday and comes from the Department of Defense or CNNIC today, your browser will happily accept it without warning.