Posted Sep 11, 2011 0:42 UTC (Sun) by dskoll
Parent article: Certificates and "authorities"
One idea would be for Mozilla et. al. to compile a list of "independent" CAs. That is, CAs that are independent businesses and not subsidiaries of one another. Then users could only trust certs that are signed by N > 1 independent CAs, where users could choose N based on their circumstances.
This would, alas, make life more expensive and more complicated for Web site owners, but it means that hackers would have to compromise N CAs instead of 1 CA to perform a MITM attack. And high-value targets like Google, Paypal, banks, eBay, etc. can surely afford certificates signed by 4 or 5 independent CAs.
to post comments)