Do I really need all these Certificate Authorities in my browser or in my keychain?

The Web is worldwide. That you are a "US user" does not mean that you will only look at US websites.

You can remove any CA certificate that you do not wish to trust. That's your prerogative. The only consequence of removing a CA certificate is that the machine will cease to automatically accept as valid any certificate issued by the said CA. Translation: some HTTPS Web site may begin to trigger scary warnings, which you can always bypass, but which are scary nonetheless (and training yourself to bypass scary warnings might not be a good idea anyway).

The truth is that, as a user, you have very little information on which you could base your decision of trusting or not trusting any particular CA. Ideally, you would trust only those CA for which you can establish a clear responsibility path down to you: the CA which will give you a lot of money in case you get swindled due to a mistake made by the CA. However, there is no such CA. Instead, what you have is a list of "default CA" who made a deal with the OS vendor (Apple, in the case of Mac OS) so that the OS vendor accepts to include them as "default CA". These CA, and Apple, are way too smart, legally speaking, to give you money in case of any problem (as a Mac user, your money relationship with Apple rather flows in the other direction). Yet, if one of the "default CA" begins to behave improperly, that's Apple public image which is at stake.

So my advice would be to let things as they are. This is what almost everybody does. Remember that, in any case, the point of the CA is to validate the certificate, which does not mean that the corresponding site is maintained by honest and trustworthy people; the only thing that the CA guarantees is that the Web page you are looking at really came from the Web site whose name is in the URL bar.


You don't require them : it's just a legacy habbit. Take a look at Project Perspectives