David Glover-Aoki

2015 pages

Certificate Authorities

I hate the Certificate Authority system.

The whole thing seems inherently untrustworthy. Your browser will trust any certificate issued by literally any of the enormously long list of CAs installed on your computer or phone, so all it takes is for a single one of them to be compromised and bam, the whole trust model comes tumbling down. Add gratuitously inflated prices for certs on top and the whole thing just seems like a scam.

Unless I'm missing something obvious, it doesn't even have to be this way. This problem was solved with the PGP model long ago. Here is my proposed alternative:

Businesses generate their own self-signed certs. They then publish the fingerprint somewhere in the real world. For example, banks could post the fingerprint in every branch. Amazon could put the fingerprint on every box shipped. Online-only businesses could publish their fingerprints in newspapers or on billboards, etc.

When you first visit a site, your browser shows you the fingerprint of the cert in use and asks you to verify it. If the fingerprint matches the one you have already seen in the real world, you accept it, you browser stores it, and from then on your connection is secure.

In addition, the web-of-trust model would make it easier for smaller business and individuals to get trusted certs. Banks and other large companies could sign your private cert for you, so that as long as someone has already approved the banks cert, your cert would automatically be accepted as well.

I can't really think of any huge downsides to this idea, except that many CAs would go out of business. And this probably isn't a huge loss.