I'm a big fan of Netscape and their products, and I think they do a good job of addressing the interests of their customers and the public at large with respect to crypto issues. But it's starting to become apparent that there's a fairly serious problem with Certification Authorities and SSL. The problem is simple enough: sites with certificates from one of the CAs that are preconfigured in Netscape have a tremendous advantage over sites with certs from other CAs, and it's expensive and difficult to get a cert if you're running an alternative server like ApacheSSL. This problem is going to get a lot worse when X509 client authentication becomes more popular. Netscape needs to address the situation. It's just not practical or desireable for one company (Verisign) to have a stranglehold on certificates. I'd like to see a less centralized CA that's tied into the existing system of notaries. The idea is to make it necessary to spoof a notary in order to spoof the CA. That won't make spoofing the CA impossible (nothing will), but it will make spoofing the CA illegal. A notary could apply to the CA for the right to work as an agent, for a nominal fee (<$100/year). Only notaries could be agents. If a person wants a certificate, they'd come in and present ID and a key to the notary/agent. The person would have to present a form document stating that he's requesting the cert. The notary would stamp the form and affix a signature to the key which would enable it to be processed automatically by the CA. Fees for the whole procedure ought to be less than $30. The CA ought to operate off of the fees from the agents as a non-profit organization, and the agents ought to keep the fees paid by the people requesting the certificates. Would any of the lawyers on the list be willing to comment on whether or not it's possible or practical to tie a CA into the notary system? Does anyone have any thoughts as to how difficult/risky spoofing my CA is compared to spoofing Netscape or Verisign? I could put up a server and I think I know a laywer who would help me set up a non-profit organiation on a shoestring, but I don't want to do it if the plan is impractical. Morevover, although I don't think it's reasonable to expect Netscape to agree to include a non-existent CA in their browsers sight unseen, at the same time it doesn't seem smart to sink money into setting up the CA without some indication from Netscape that they're willing to give the idea good faith consideration.