I would love to see the certificate authority model become less and less important.
“Can you write a small check to an organization we are all pretty sure isn’t outright malicious?”
Is a surprisingly good pragmatic protection against malicious SSL certificates, I will admit.
But there’s significant flaws with the approach - notably power dynamics and creation of large scary targets for bad actors.
I would love to see CA acceptance move from PASS/FAIL to a dynamic risk score, that is based on my own browsing behavior (calculated solely within my browser).
If I spend 90% of my time browsing domains at example(dot)mycorporation(dot)com, there’s a great chance that anything new signed by the same authorities can be automatically trusted.
It would still put a lot of power in the hands of Amazon and Google, but would reduce that power in scale to the amount of services they’re actually providing to each user.
I would love to see the certificate authority model become less and less important.
“Can you write a small check to an organization we are all pretty sure isn’t outright malicious?”
Is a surprisingly good pragmatic protection against malicious SSL certificates, I will admit.
But there’s significant flaws with the approach - notably power dynamics and creation of large scary targets for bad actors.
I would love to see CA acceptance move from PASS/FAIL to a dynamic risk score, that is based on my own browsing behavior (calculated solely within my browser).
If I spend 90% of my time browsing domains at example(dot)mycorporation(dot)com, there’s a great chance that anything new signed by the same authorities can be automatically trusted.
It would still put a lot of power in the hands of Amazon and Google, but would reduce that power in scale to the amount of services they’re actually providing to each user.