I understand the business reasoning behind not requiering the default CA cert store to be password protected, and I understand that they hold little if any information that is private in nature. OTOH, if someone can get in and manipulate that store, he or she could put in a trusted CA for Jolly Roger's rip-off site and then spoof you. Has this vulnerability been investigated?
Steven
