I think I understand why you are not following what I am saying.
You prove that the certificate came from comodo, and only comodo. It can't have come from anyone else.
This isnt trust -- its public key crypto. Only the issuer could sign it. If you trust it or not, its irrelevant, only that it could only have possibly originated from there.
If you believe that the public key is truly owned by the subject because the issuer said so -- this is trust.
OK, but that's only helpful here in the sense that I could remove Comodo from my trust store, but nobody's going to do that. Not even me, and I'm the one complaining about this. What I can't do is have any confidence in the provenance of a CSR they signed: did it actually come from the organization that controls that domain? (That was what I meant by "provenance")
I think I understand why you are not following what I am saying.
You prove that the certificate came from comodo, and only comodo. It can't have come from anyone else. This isnt trust -- its public key crypto. Only the issuer could sign it. If you trust it or not, its irrelevant, only that it could only have possibly originated from there.
If you believe that the public key is truly owned by the subject because the issuer said so -- this is trust.