A thing I wish more people in IT would understand:
The fact that browsers come with their own lists of trusted root CAs and the poor UX around managing CA trust is a big problem because it centralizes that trust.
It means that in practice who you trust on the web is decided by your browser vendor – it means that for the majority of humanity #Google gets to decide who is trustworthy and who isn't.
The question is: Do we want to trust an entity whose modus operandi is surveillance capitalism and which is liable to state pressure to do this right?
Google is in control of chrome and thus in control of the bundled list of trusted root CAs, I Idon't see how this is in any way confusing.
Also, Google trying to get hegemony over the web isn't exactly new anyhow – they got the majority market share, they got the W3C and they sponsor over 50% of Mozilla, which is basically the only "competition".
@phryk @mherrb
Your claim is confusing because
Chrome uses the OS to verify trust. (Verified with Windows, macOS, iOS, BSD)
Even applies to Android, though the OS there comes from Google but still.
Chrome does not come with its own separate trust store unlike Mozilla does with Firefox and Thunderbird.
I only see CRLsets which are something entirely different.