Everyone can be a certificate authorithy. The problem is that browsers only recognize a small number of authorities and display a scary message for others.
According to the article those 600+ authorities are all trusted by the browsers...
Quote:
"Break into any Certificate Authority (or compromise the web applications that feed into it). As we learned from the SSL Observatory project, there are 600+ Certificate Authorities that your browser will trust; the attacker only needs to find one of those 600 that she is capable of breaking into."
Quote:
"Break into any Certificate Authority (or compromise the web applications that feed into it). As we learned from the SSL Observatory project, there are 600+ Certificate Authorities that your browser will trust; the attacker only needs to find one of those 600 that she is capable of breaking into."