There is NO TRUST on the Internet!!! The 'Crypto Messenger' attempts to solve this with a 2-Level approach to securing your messages:
1st, each user maintains their own CA (Certificate Authority). When creating a Contact; CSR's are created, exchanged then signed by each others CA. Once each user has a Certificate signed by the other they are used to create CMS (Cryptographic Message Syntax) data which contains the actual content of your messages.
2nd, Best Practices are followed when interacting with the Crypto Messenger Services including but not limited to:
A.) Web Services use ONLY HTTPS with self-signed certificates from Crypto Messenger CA (with the exception of the initial call to CmCert Service)
B.) TLS using ONLY PFS (Perfect Forward Secrecy) ciphers
C.) Certificate Authentication to Web Services