I don't want to discount the importance of cert discovery, but I do
think it's a stretch to believe that you're going to be willing to trust
all of the certs that you discover in a chain of significant length, for
a significant set of purposes.
So do you think that there's a necessary difference in trustworthiness
between the certs that you "discover" when you take your computer out of
the box, or download the latest browser, and those that you would discover
via some lookup mechanism? Even if the certs discovered via that
mechanism were associated with policies based on explicit agreements
and terms of use between your organization and the various issuers?
no, I think there's likely to be a difference in the trustworthiness
of a short chain of certs involving a small number of other parties
vs. that of a long chain of certs involving a larger number of other
parties. and if the cert discovery mechanism can incorporate
personal and/or site policy, that's great - as long as it knows
which policy to use under which circumstances.
in general I think the longer the cert chain, the narrower the applicability.
Keith