That's definitely a conflict of interest, but I wouldn't call it theft unless you prove the foundation was getting a bad deal. Could the foundation have gotten the work done better or cheaper hiring non-represented companies? That's the question you have to answer to call this theft.

It doesn't seem that is really what the foundation is arguing though, so I'm guessing it wasn't that bad. It seems more their argument is that this violates the non-profit laws they operate under.

No one is going to write a blog post titled "Why I just used the default filesystem in the installer" but that is what most people do. Things like btrfs and zfs are useful, complicated technologies that are fun to write about, fun to read about, and fun to experiment with. I'd be careful about assuming that leads to more general use, though. Its a lot like Guix and NixOS, in fact. They get all the attention in a forum like this. Ubuntu is what gets all the people, though.

For Firefox in particular, I would 100% be willing to pay for it. Individuals like me who will pay are rare, but companies that will pay aren't. I think the answer for modern Mozilla is a Red Hat style model. Charge a reasonable amount of money. Accept that someone is going to immediately create a downstream fork. Don't fight that fork, just ignore it. Let the fork figure out its own future around the online services a modern browser wants to provide.

Then, lean hard into the enterprise world. Figure out what enterprise customers want. The answer to that is always for things to never, ever change and the ability to tightly control their users. That isn't fun code to write, but its profitable and doesn't run counter to Mozilla's mission. That keeps Mozilla stable and financially independent.

Mozilla will maintain lots of influence to push forward their mission, because hopefully their enterprise customer base is big, but also they are the ones actually doing the work to make the downstream fork possible.

OIDC actually does have a discovery mechanism standardized to convert an email address into an authoritative issuer. Then, it has a dynamic registration mechanism standardized so that an application could register to new issuers automatically. Those standards could absolutely be improved, but they already exist.

The problem is that no one that mattered implemented them.

If you want to get anywhere with something like this, you need buy-in from the big email providers(Google, Microsoft, Yahoo, and Apple) and the big enterprise single sign on providers(Ping, OneIdentity, and Okta). All of those companies already do OIDC fairly well. If they wanted this feature to exist, it already would.

Instead, it seems like big tech is all-in on passkeys instead of fixing single sign on.