I know that the Root CA bundles differ between OS/browsers/applications. However, it seems like Verisign is always included.
How did this become the case? Is there some sort of standard?
I'm just curious since SSL has become a big topic lately at my place of work.
There is no standard set of certificate authorities, and the list of trusted authorities may vary from one application to another. Linux Weekly News had an interesting article about this last August.
Verisign has a very large customer base and has been around for a long time. Omitting it would cause problems for a large percentage sites. This would be a problem for users, and consequently would cause them to change to different tool.
Most tools allow you to check the trust chain so you can verify what your experience would be like if Verisign was not in the CA bundle. I sometime clean the bundle of CAs that I am unlikely to trust, but always keep Verisign.
Some tools such a VPNs allow users to specify their own trusted authorities. With a private CA this can greatly simplify trust relationships.
