I started looking closely at the trusted certificate stores in the major browsers, and am a bit surprised with what I find. There are a lot of entities out there that are acting as CAs (things like national postal services and loads of telecoms). I’m not talking about the fewer than a dozen companies that we traditionally think of as CAs, I’ve found about 50 others that have roots in major browsers.
My question is why? If I go to the web sites of many of these entities, I don’t even see SSL certificates as a product or service that they offer. What could be the reason that these entities need to have their roots seen as trusted? Is it simply a remant of a time where many companies put their roots into the browsers on the speculation that they’d be valuable one day, and then they weren’t one of the few companies to emerge as a “big CA”.
Building and maintaining a trusted CA infrastructure isn’t easy or cheap, so why do these entities continue to do so? What am I missing?