Correct, but it does mean entities that are qualified to be trusted on the matter. I don't trust a lot of my contacts (both personal or commercial) to be good people for judging what is safe/legit/secure.
How many times I've heard an otherwise technically competent individual complain at being laughed at for using "but <other_person> give me the link I assumed it was OK" as part of their defence when taken the mick out of for getting infected by malware from some ropey website/app/whatever is something it would scare me to count.
> Why shouldn't individuals be capable of forming the same trust networks that companies do
You can. The current system does allow this, though I'll admit not at all intuitively for the general public. Create your own CA keys, have contacts include them in their trust stores. Build a web of trust by signing each others keys (or passing them between each other and new contacts via secure channels).
> They state that the certificate is not trusted, or something to that effect, when in fact they mean that the certificate is not recognized in their trust network.
From their PoV those two thing are the same. Things I have no reason to trust are not things I can guarantee are trustworthy. In security there is unfortunately no room for granting the "benefit of the doubt".
Correct, but it does mean entities that are qualified to be trusted on the matter. I don't trust a lot of my contacts (both personal or commercial) to be good people for judging what is safe/legit/secure.
How many times I've heard an otherwise technically competent individual complain at being laughed at for using "but <other_person> give me the link I assumed it was OK" as part of their defence when taken the mick out of for getting infected by malware from some ropey website/app/whatever is something it would scare me to count.
> Why shouldn't individuals be capable of forming the same trust networks that companies do
You can. The current system does allow this, though I'll admit not at all intuitively for the general public. Create your own CA keys, have contacts include them in their trust stores. Build a web of trust by signing each others keys (or passing them between each other and new contacts via secure channels).
> They state that the certificate is not trusted, or something to that effect, when in fact they mean that the certificate is not recognized in their trust network.
From their PoV those two thing are the same. Things I have no reason to trust are not things I can guarantee are trustworthy. In security there is unfortunately no room for granting the "benefit of the doubt".