Re: Trust and CA's
"I have exactly *five* CAs enabled in my browsers. Save for a US government website a few weeks ago, it's been more than five years since I needed to enable a CA."
So you've had to enable one five times. You know what you're doing when you do that, but most users do not. If they have to do something five times (per device and browser), it becomes a thing they expect. Not to mention that some people use a lot more of the internet. I routinely visit sites hosted in a lot of countries, usually small personal sites by people running technical projects. As geographic and linguistic diversity also brings CA diversity.
There is no harm in you disabling all the CAs. There is some in doing that to people who won't know what that means and might be trained to bypass certificate warnings by doing so. Browsermakers are better at judging certificate trustworthiness than a child who only understands "If I press this button, the site loads" or adults who in my experience manage to understand even less and damage more.
"I can't be bothered to look now but there is, in Firefox's certificate store, a CA cert from some sort of Turkish bank. Take a look under "T"."
Challenge accepted. I think I found it:
Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK
I don't speak Turkish, so this looks like a lot of scary words. Let's see what it translates to:
Scientific and Technological Research Council of Turkey
That doesn't look like a bank, but maybe it's a front for one. Let's see who runs it: www.tubitak.gov.tr. So not a bank. A part of the Turkish government. Now maybe we don't trust the Turkish government, but there is a difference between that, a bank, or every bank out there. Incidentally, that is not the only one run by a government entity of some sort.