Laurie: Improving SSL certificate security

the problem is that too many companies _do_ run their own CA

any company that runs a CA that is trusted by the browsers can issue a certificate for _any_ domain.

This means that GE (one of the companies listed) could issue a certificate for irs.gov, and it's only their internal processes that prevent this from happening.

This is the fundamental problem. And a company like microsoft or google cannot defend against this because they don't have any control over what all the CAs do (especially since some of them are government agencies)

if google were to start issuing certs, this would not solve any problems, it would just add one more vendor who could create certs. They could issue their own certs, but certs issued by someone else would continue to be considered valid by all the browsers and other tools out there.

The commercial CA vendors are trying to strike a balance between security and ease of use, and in this case there was a hole that made it too easy for someone to request a cert ;-)