Almost by definition, any major new feature adds code, the question is
how much new code is acceptable for a given feature.  And the answer
will vary in direct proportion to how much you personally think the
feature is worth, so that's unlikely to be a real number.  I think we've
decided we want EV cert support as part of our security UI strategy, and
there's other pieces that we  might use in 1.9.1.

That said, there's clearly a ton of work that should be done to optimize
a lot of this codesize pain (bz has made some concrete suggestions in
the bug), and we'll have to discuss separately how to deal with those,
but I think we're very very unlikely to stay on NSS 3.11.x for Firefox
3.  Probably the biggest reason is maintenance for security releases (we
migrated the branches to use the current stable NSS tag during the
winter, because NSS is not going to spot fix older versions anymore).  
AIUI, 3.11 will be replaced by 3.12, and 3.11 will no longer be updated,
long before the Firefox 3 end of life.  It is not viable for us to lock
into a to-be-unsupported version of NSS for the next 18-24 months for
Firefox 3, so we need to help make NSS 3.12 as performant as possible
sooner or later.   Unless we're prepared to maintain our own fork for
NSS until libpkix meets some relatively arbitrary codesize target, and I
don't think we're at all prepared to do that.

I'm not saying a 9% Z hit is shippable (I'm going to ignore mZ, since it
doesn't include libxul or thebes, and is therefore broken right now),
but I think we will take some sort of nontrivial hit, and I think we
need to be prepared for that in order to get onto the new NSS version.  
That hit should be as small as possible, but I see no situation where
we'll throw away EV cert support over a codesize hit.

-- Mike