[joshuak]

Well either you trust the CA system or you don't. If you do then receiving a s/mime signature, that your OS thinks is valid because of the root certificates that it accepts, then you can trust it "transparently".

If you don't trust the CA system, well then the web is a very scary place for you because it's all built on that and email is probably the least of your concerns.

The CAs are generally not "a random list", but rather a publicly accepted and accredited CA. Just like your https cert.

[andrewflnr]

No. Degrees of trust are allowed, and you can choose to do different things in different contexts (browsing vs email) depending on the likelihood and likely damage of betrayal.

[indeyets]

That's exactly the reason, why "DANE" approach is developed now, to replace CAs use for HTTPS

https://tools.ietf.org/wg/dane/ http://www.internetsociety.org/articles/dane-taking-tls-auth...