SSL of the Future

I just happened to watch a video about some considerations that need to be taken into account in order to improve SSL for the future. It outlined the fact that there has been great and gross negligence on the part of many CA’s in their bid to make money. They have just not been verifying the authenticity of all their customers at an acceptable level. Because of this they are somehow seen to have gone out of control and the fact that web browsers already have CA root certificates in them the makes it rather difficult to remove individual certificates because in doing so, one might blank out a considerable portion of the internet (if the CA had a good proportion of customers). Additionally, if a specific user decides to remove the certificates of certain ‘untrustable’ CA’s out of personal preference, they may have to contend with the fact that certain websites may become ‘off-limits’ areas to them out of choice… and the user will have to live with that.

One of the suggestions of a future model (with or without CA’s) is the fact that the trust relationship should not be a permanent one, as is seen today with most CA’s. The relationship seems to be forced upon the user, with very little leeway or choice and simplicity to back out of a destructive/untrustworthy relationship.

The other suggestion was to ensure that the user can chose who to trust, that is, there is a free choice among equally likely candidates whom a user can trust in order to verify whether a particular website is actually supplying a valid certificate that proves their authenticity.

These 2 suggestions are put together in what Moxie Marlinspike terms as “Trust Agility.”

To me it seems as some part of the way forward, though still we still have to place our trust in some 3rd party. There seems to be no way out of this trusting someone else…