There are two problems.

First, CA AND/OR ToFU, or notaries or some other kind of acceptance of the certificates.  That is a large issue, but the CA model is broken.  It would be even more convenient not to have to bother with any authentication, encryption and passwords, but if we are going to bother with it, it may as well be actually secure.  We need not trust them collectively - the difficulty comes when there are lots of different certs from the same site, but I might trust a google domain cert signed with a google signing cert over one signed by diginotar.

Second, they generally don't escrow the ephemeral keys, but, if I understand correctly, if the key exchange does not have perfect forward secrecy, if the traffic is recorded, and the original private keys are exposed (subpoenaed, hacked, broken) any session is as well.  Note that the exposure of one private key unlocks ALL such recorded sessions.  This would apply even if I generate my own keypair and private cert.

On Sat, Jul 27, 2013 at 5:56 PM, Lodewijk andré de la porte <l@odewijk.nl> wrote:
What problem are we solving, exactly? No eavesdropping is simple enough. No MITM is not preventable without information known to come from the intended source. Presently we have "all knowers" called certificate authorities. We trust them as a collective not individually. Their security depending on their collective is a fatal mistake. The idea of an all-knower is very, very convenient for the design of these systems.