Apparently that certificate has no owner any more or might even be rogue. see upstream issue and http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998/26fca75f9aeff1dc Reproducible: Always
We'll update the package as soon as Debian (who is the upstream) releases it. See also mail on the original thread that RSA has claimed they did made it.