After reading DrDuh's guide to install yosemite, I thought a bit more about the ~200+ trusted CAs on my computer. I removed about ~50 using various heuristics, mostly arbitrary stuff like removing goverment agencies, and international CAs that I was skeptical of or otherwise assumed I would not need.
To get to my question though, how many CAs does one need to trust for the safest browsing experience? What CAs should be trusted and how can they be evaluated? How many-ish are you guys trusting?
We really need a much better interface for managing trust. All of these security features rely on trusting something, and people need to have control over that. Maybe they have reason to distrust one of the CAs (China and their effort to catch people circumventing the Great Firewall is an obvious example), and so it should be easier for people to manage these important trust choices.
An interesting (and probably good) side-effect might be that market forces put pressure on websites/etc about their choice of CA. That is, if people distrust a CA an "break" websites that it signed, that's a good thing as it lets the market punish shady CAs indirectly.
We really need a simple way for for someone to browse the trust choices and easily say "I don't trut the government of $COUNTRY, disable all of their certs" or "Use these trust settings that my friend gave me on this $PHYSICAL_MEDIA" or "I trust $SOME_3RD_PARTY, use their recommended list". Several of these suggest the need for a portable and secure way to publish lists like the 50 CAs you just removed.
To get to my question though, how many CAs does one need to trust for the safest browsing experience? What CAs should be trusted and how can they be evaluated? How many-ish are you guys trusting?