The real question is this — does anyone really care? How many consumers bother to click through to see where your SSL cert came from? How many consumers will even recognize the CA’s?

I suspect very few on both counts.

Does anyone have any data to the contrary?

>>because they are not signing your certificate directly with that trust root.
I recollect reading somewhere that NOT signing the certificate directly with the original trust root is actually more secure than doing so because it prevents the original root from being compromised, ever.

Comodo swears by this. Their entire range of certs (even EV SSL certs) require intermediate certs. In fact, I just had it confirmed by the Comodo partner support person that their only reason for this is a policy decision never to sign any cert with the original trust root and that even Verisign had changed its policy as of last year.

Regarding the trust root, this may have changed, we’re just reporting what Thawte has told us. For example, for EV certificates, it does look like Go Daddy is the “trust root” for its own EV SSL Certificate. It is quite likely that for other certificates, that it is not the trust root. The intermediate certificate is required for your browser to accept these other certificates as valid. You can check the certificate chain yourself. In FireFox, for example,
* Double click on the “lock” icon.
* Click on “View Certificate”
* Click on “Details”.
* See the “Certificate Hierarchy”.

One Go Daddy site I looked at had a chain of several Go Daddy authorities. In cases where Go Daddy does own the trust root, that they make make other certificates for signing specific kinds of certificates. In this cases, they would need to sign these other certificates with their own Trust root and provide an intermediate certificate so that the browser / server would have the full chain. I.e. this is a case where intermediate certificates would be required even for places that have their own trust root which is actually trusted — because they are not signing your certificate directly with that trust root.

So, on these two points, there isn’t any difference between Thawte and GoDaddy. In fact, GoDaddy is much cheaper at $99.

Is it possible that intermediate certs are still required for certs even from authorities who have their own trust roots? GoDaddy seems to require intermediate certs. If GoDaddy’s certifying authority owns their trust root, why are the intermediate certs required?

The other points in this article are all very valid. GoDaddy’s horrible commercials alone are enough reason for a self-respecting business not to touch their services.

I researched this and what was actually meant was that Safari (and some other browsers) will not recognize the Go Daddy certificate as valid unless additional “intermediate” certificates are installed on the web server. If you do not install the certificate chain that makes Go Daddy “valid”, then you will get warnings in these browsers (not not in newer versions of Internet Explorer and FireFox, for example).

I have revised the post to be explicit about that.