Note that the problem here is in the basic trust model, not just the certificate distribution model (which is a separate problem). The lack of ability for a certifier to revoke his own certification, plus the lack of a facility to put limits on the duration and meaning of the certification, make PGP certificates of very limited practical value.
Isn't the last bit here, the part about duration and meaning, the practical answer to the problem? Especially duration?
The stuff that's been going on lately with Netscape's browsers, Sameer's apache ssl server, and the difficulty of getting CAs like verisign to approve keys underscores the importance of this issue.
This is probably sort of half-baked, but is it possible to come up with a formal grammar that would allow us to describe trust models in general? What if we had a prolog-like system that allowed you to set up rules like:
"x is a student if x has got a signature from a school" "x is a school if x has got a signature from the accredation authority" "x belongs to the secret society of x has signatures from 3 other people who have belonged to the society for more than a year, and if x is a certified owner of a duck."
Wouldn't something like this give us the flexibility to use a PGPish model of trust or an X.509ish model, or whatever else we wanted to do?
It seems to me that the rules that govern when you can accept which signature ought to be data objects in a more flexible system, just as the signatures themselves are data objects. That means that the rules themselves ought to be subject to change, revokation, or revision.
The constitution wouldn't have survived if it didn't contain a mechanism for ammendment. Wouldn't a model of trust with the same ability for revision and extension be a lot more robust, and a lot more resistent to centralized control?
Indeed, I agree that's the right approach. In fact, I agree so much that I've spent the last few months (with Joan Feigenbaum and Jack Lacy) developing the principles and structure for just such a "trust management" system. Watch this space for details of our system, called "PolicyMaker", which I expect to release a paper about shortly and a reference implementation around April or May. -matt