It's amazing how many people still think Verisign are the only CA out there. There are a lot now, and if you hunt about, you needn't pay more than $10-$20 for a cert that's trusted in most browsers (granted, they are domain-only validated, but that's a whole different issue that needs to be fixed, I won't bring it up here...)
The reason you 'trust' Verisign/Thawte/Comodo/Geotrust/GoDaddy is because their roots are in the OSs & browsers. You can't get in those root stores without a hell of a lot of hoop-jumping. I know this. The money you pay for a cert does go to covering the costs of the background checks you have to pass through before you get the certificate.
Trust has to start somewhere - why not with large companies who have undergone rigorous procedures that also have been vetted by the companies you're implicitly trusting by installing their software?
If someone on this board wanted to argue that GoDaddy and GeoTrust haven't really seen "vetting" that makes or breaks their security, as a practitioner in this industry, I don't feel I could win that argument.
What you and I are really saying is that a company like Thawte has staked their business on those pubkeys, so that we at least know that if they screw up, they stand a good chance of losing the company.
The reason you 'trust' Verisign/Thawte/Comodo/Geotrust/GoDaddy is because their roots are in the OSs & browsers. You can't get in those root stores without a hell of a lot of hoop-jumping. I know this. The money you pay for a cert does go to covering the costs of the background checks you have to pass through before you get the certificate.
Trust has to start somewhere - why not with large companies who have undergone rigorous procedures that also have been vetted by the companies you're implicitly trusting by installing their software?