gpg --gen-key
a) There is something else that you know about IdenTrust, and that is that your browser vendor trusts them. This is the whole point of this CA thing: in the end you trust whom your browser vendor trusts (with the option of removing CAs for which you disagree). This is far from perfect (especially since the vendors' vetting process can be quite opaque), but it is not nothing - after all, you should trust your browser vendor, otherwise all the encryption of the world can't save you from someone eavesdropping on your websurfing.
b) Your argument can be read (or misconstrued?) to state that it would be perfectly reasonable to trust IdenTrust if they had a 2015-looking, professional website written in Angular and node instead. Which, of course, is not the case as many who entrusted their money to fraudsters with professional looking websites will be able to attest to.
> you trust who your browser trusts
Exactly, and my OS. But I run Mac and I am sure Windows users can relate, there are over 200 CAs and I have no idea what heuristics can be used to determine whether they are trustworthy. It wouldn't be a big deal except a compromise at ANY means they could fake ANY website.
Now, on a serious note. If you were running node and you had a super clean react front end with a picture of Jamie lee Miller from hackers super imposed over the ghostbusters symbol (responsive using html5 flex boxes) for sure I would trust you with the security for every website I visit.
I just meant the comment more as idem trust looks like a random rent collector who hasn't updated their business model since 1995. As a broker of trust, I find it disconcerting I know fuck all about them and even if I did, there are hundreds more like that. If you have the money, I don't because I am broke, for sure it would be worth $100 for a padlock when a user hits your site. With nothing more to go on than their site though, it looks like they have been on autopilot for 10 years and I can't wait for Lets encrypt to go live.