My question is how can you trust the CA?
According to http://mcg.org.br/cert.htm, you can trust the CA:
A characteristic of X.509 is that it predicates that almost all issues
that involve semantics or trust are delegated to a CA's CPS --
Certification Practice Statement -- which is declared out of scope in
relationship to X.509. The CA's CPS is the governing law that the CA
presents to potential clients and represents a top-down framework. While
some consider the CPS mechanism to be a good way to introduce
flexibility in X.509 because each CA can have their own rules for
different needs, such mechanism can be considered as X.509's
"black-hole" and cannot be harmonized for different CAs. Thus, while
this "black-hole" mechanism affords a "solution" to the undefined
semantic and trust features in X.509 (as they are declared out of scope
and delegated to the CPS), such "laissez faire" attitude leaves ample
room for strong differences between CAs and for a biased
"take-it-or-leave it" attitude regarding what a CA subscriber can
expect. Further, it does not scale to a planetary Internet because even
though it could work in a parochial Internet where everyone knows what
to expect and share a common law and trust system, it is doubtful that
it could be always successfully applied between competing businesses or
different states in a country -- much less between different countries.