Anyone notice how google issues themself a certificate. for some crazy reason I see different results when I sign my own certs on my server... man the cert issuer oligopoly sucks...
That's because Google is a intermediary CA[1], pretty much all large institutions that use certificates for authentication are. For example, a good number universities use internet2 as a backbone and issue themselves certs under an umbrella intermediary called InCommon.
Becoming an intermediary is hard and expensive because we want the CA system to be as secure as possible. And some security measures and auditing takes money
I know sorry my irony wasnt that explicit I guess. Really I dont see how making it hard and expensive to become a CA intermediary helps security at all, it just means we have to trust those that have money and power, rarely the best idea.
I would much rather trust people who jump through some hoops to prove they're secure than people who don't (or routinely show they despite the hoop jumping, they're not -- looking at you India CCA).
By and large, the process prevents fraudulent certificates and at the cost of $5/y, I'm not horribly upset.
Would the world be a better, more perfect place with the CA system was organized differently? Maybe. But the likes of StartCOM are not the answer (predatory pricing is no bueno).
I think it depends on what you're comparing the current system with, right? I mean sure if its either no hoop jumping or you have to pay some money then you can go figure ok the person willing to give up bucks and go through the trouble is probably a little more reliable because of that. But how is that type of system ideal or secure? Currently, ssl certs give me very little assurance that any data over the connection is not being backdoored/sniffed to whomever, that the private certs arent compromised, etc. I think we shouldn't be trusting people because of hoops they go through, but because the system we use doesnt allow fraudelent players to stay in the game. Personally, I'd like to see it head in this direction:
How is namecoin any different? Its a pay to play system too. Decentralized CA's are nice and all but what happens when a state actor gains more than 50% of the hash power and can then make their own certs at will? DNSChain is also no better than GPG-signing all your assets in the end. You still have to trust that "greg" is the "greg" that has "greg" in DNSChain and no one has compromised "greg"
