That's not the way in which the system is structured for 100% trust. The problem is that the system as a whole produces a binary answer: "Yes, this site has passed your trust chain" and "No, it has not." There's no room for dodgy certs, and certainly no room for dodgy root CAs.
Further, there's no room for decreasing my trust in a cert based on the length of the chain, or who's on the chain, or anything like that.
The whole system is structured to produce a 100% certification of trust, or a 0% certification of trust. This has the consequence that when the system is compromised in the way that you talk about in your last paragraph, it doesn't degrade; it falls apart.
It's not that robots from the future might compromise a cert, and going to something so fantastic in the light of the real threat of sovereign governments and the proved threat of compromised root CA certs (proved as in "you could buy this device for real money and have it really delivered to you") is a rhetorical unkindness. It is that nobody can any longer claim with a straight face that the system is 100%, and unfortunately, with SSL that leaves only one alternative.
Compare with the semi-mythical "web of trust", which would have ways of dealing with this that doesn't violate the very mathematical foundations of the system.
Further, there's no room for decreasing my trust in a cert based on the length of the chain, or who's on the chain, or anything like that.
The whole system is structured to produce a 100% certification of trust, or a 0% certification of trust. This has the consequence that when the system is compromised in the way that you talk about in your last paragraph, it doesn't degrade; it falls apart.
It's not that robots from the future might compromise a cert, and going to something so fantastic in the light of the real threat of sovereign governments and the proved threat of compromised root CA certs (proved as in "you could buy this device for real money and have it really delivered to you") is a rhetorical unkindness. It is that nobody can any longer claim with a straight face that the system is 100%, and unfortunately, with SSL that leaves only one alternative.
Compare with the semi-mythical "web of trust", which would have ways of dealing with this that doesn't violate the very mathematical foundations of the system.