[guns]

If you feel uncomfortable about this trust decision made for you by OS X, I would suggest taking a peek at the entire set of trusted root certificates in /System/Library/Keychains/ (note that Keychain Viewer hides one of them from view by default, so run:

    open /System/Library/Keychains/*

from a shell).

I don't run OS X anymore, but I was not happy with what I saw at the time.

[tlrobinson]

I wish there was a tool for auditing root certificates. Like point out which certs are owned by governments, reputation of companies, etc.

[tptacek]

The problem with that idea is that the CA root store on your computer is a tiny subset of all the CA=YES certificates out there, because of intermediate chained CA certificates.

So what you really need is something that watches every CA cert your browser ever sees and then does detective work on them. Which is sort of what Moxie Marlinspike's Convergence project was doing.

[0x0]

I double clicked the "SystemCACertificates" and that seems to have added a fifth keychain to keychain access (it used to display four, I think). That didn't seem too bad, a few Geotrust and VISA items, and a bunch of DOD ones? Well, I guess it's a bit weird to have 20+ DOD certificates there.

(I already used keychain access some time ago to untrust CNNIC, Türktrust and Diginotar earlier)