> By design, certificate authorities need to be 1. trustworthy, 2. highly vetted and 3. very few. If everyone is a certificate authority, then no one is.
Isn't that the situation we are in now? All it takes is one CA with poor security coughDiginotarcough and the whole system is broken. I'm obviously ignoring the fact we have CRLs - but if someone has a signed cert for say chase.com or google.com they can do a lot of damage in a very little amount of time.
Maybe I'm just cynical that there is a profit motive to CAs. I mean, you can't tell me that it's just greed that you can purchase a certificate to turn a user's address bar green because it's "extended validated". The average user won't notice, or even know what that means. Big picture behavior - there is no functional difference between a EV and non-EV signed certificates.
My opinion: if we keep the SSL/CA system the way it is today - we need fewer CAs but create non-profit CAs where the average person can get CA signed/trusted certificate for free or next to free. I'm not talking about grabbing some random dude off the street and start a non-profit - it should be funded and sponsored by companies like Google/Verisign/Microsoft etc.
I agree with everything you've said here. Certificate authorities are, like all organizations, prone to corruption and misaligned incentives. There are certainly issues, and it's very much an imperfect solution. The trouble is that getting rid of them (right now) is a net loss for cryptographic integrity. SSL, and perhaps public key infrastructure underpinning it, needs to be redesigned. There is no viable alternative just yet.
Or better, cut out Verisign completely out of this... correct me if I am wrong but if the major browser vendors: Microsoft, Google, Apple, Opera, and Mozilla come together can't they basically decide to cut off any certificate authority as they wish? Can't they basically tell Verisign to issue certificates for free of cost or get booted out?
The only reason why I suggested Verisign is because they have been in the industry long enough to know what they are doing (presumably) and not make the same mistakes that were made in the past.
Worst case scenario - if Verisign doesn't want to share the toys in the sandbox, Microsoft/Google/Mozilla et all can just refuse to include their CA certs as trusted certs.
However, Verisign is in a very interesting position as they currently manage/control .com tld.
So what I'm saying is - if the children don't agree to play together then they can take their toys and go home then no one can play.
(I like to use the analogy of children and these big companies because, in my opinion, it appears that's how they operate. They just can't come together, like mature adults, and form some sort of solution to this. Last I heard is that Google wants to show an error page for non-HTTPS enabled sites, on Chrome, which will make everything even worse[1]. Don't even get me started on the whole self-signed cert error message page...).
Isn't that the situation we are in now? All it takes is one CA with poor security coughDiginotarcough and the whole system is broken. I'm obviously ignoring the fact we have CRLs - but if someone has a signed cert for say chase.com or google.com they can do a lot of damage in a very little amount of time.
Maybe I'm just cynical that there is a profit motive to CAs. I mean, you can't tell me that it's just greed that you can purchase a certificate to turn a user's address bar green because it's "extended validated". The average user won't notice, or even know what that means. Big picture behavior - there is no functional difference between a EV and non-EV signed certificates.
My opinion: if we keep the SSL/CA system the way it is today - we need fewer CAs but create non-profit CAs where the average person can get CA signed/trusted certificate for free or next to free. I'm not talking about grabbing some random dude off the street and start a non-profit - it should be funded and sponsored by companies like Google/Verisign/Microsoft etc.