My question is how can you trust the CA? According to http://mcg.org.br/cert.htm, you can trust the CA:
A characteristic of X.509 is that it predicates that almost all issues that involve semantics or trust are delegated to a CA's CPS -- Certification Practice Statement -- which is declared out of scope in relationship to X.509. The CA's CPS is the governing law that the CA presents to potential clients and represents a top-down framework. While some consider the CPS mechanism to be a good way to introduce flexibility in X.509 because each CA can have their own rules for different needs, such mechanism can be considered as X.509's "black-hole" and cannot be harmonized for different CAs. Thus, while this "black-hole" mechanism affords a "solution" to the undefined semantic and trust features in X.509 (as they are declared out of scope and delegated to the CPS), such "laissez faire" attitude leaves ample room for strong differences between CAs and for a biased "take-it-or-leave it" attitude regarding what a CA subscriber can expect. Further, it does not scale to a planetary Internet because even though it could work in a parochial Internet where everyone knows what to expect and share a common law and trust system, it is doubtful that it could be always successfully applied between competing businesses or different states in a country -- much less between different countries.
