On Sat, 6 Sep 2003, James A. Donald wrote:
Thus under this attack, ssh uncertified keys work far better than https certified keys.
Central certification authority has its risks and advantages. Remembering the fingerprints of known keys and alerting for the new or changed ones has its advantages too. Why we shouldn't have it all? Why there couldn't be a system that would keep the database of known keys and report changes and new keys, like SSH does, and at the same give the possibility to sign the keys by several CAs? Effectively turning the hierarchy with potentially vulnerable top to a much-less-vulnerable web structure? That way you could get a key certified by Verisign, Thawte, and a handful of small private CAs of various groups and people, and its fingerprint remembered by the clients. If one of the CAs gets compromised, no problem as the other certificates still hold. If a server key gets changed, or there is a confusion-attack in progress ("BankOpAmerica"), the clients are immediately aware of it. Could be SSL modified to allow more CAs for one certificate? If it isn't a good idea, why?