> > That is all fine, but the Financial Services Association of North > Korea can do the same thing. > > At some point you need to decide which entities you trust a priori, > from which you can chain other entities. Once you've done that it > doesn't really matter whether it's the CAB's list of signers or the > IANA DNSSEC root, or a cert in a browser from a vendor you like. > I think the gist of an alternative system is that the only entity that should be allowed to sign a service's certificate is the entity's owner. That is, Chase Bank's chase.com certificate should only be signed by the JP Morgan IT department. Right now, the Chinese Post Office can sign for it, and the browsers will trust it, but if JP Morgan IP signs it, the browsers will block it. Regardless of how the technical mechanisms need to work, the concept is the same. A web service's certificate should be singed for by the owner of the service, to certify that they are responsible for the site. Beyond that, the rest is just non-technical reputation. The same way you like or dislike "bob from work" or enjoy or hate shopping at "Retailer X".
