Does that mean you need to trust the first key issuer and if they are compromised the rest is as well?