2005-06-19 · in Ideas · 241 words

Many people who use SSL certificates do not want to pay extortionate sums to a certification authority for dubiously-trustable global authentication. These users currently have two choices: use self-signed certificates, or set up their own local CA to sign their certificates. Both options cause warning messages to pop up in browsers; even open-source browsers enforce this monopoly on usable secure HTTP access. This is clearly an undesirable situation.

One option would be to modify all browsers so that these warnings could be disabled -- providing SSL security without authentication. There are a lot of browsers and other SSL clients out there, though.

A different approach would be to set up a public certification authority that anybody could use, by generating a keypair and distributing both parts of it widely. This "Uncertified CA" keypair could be used to sign certificates that are currently self-signed (or CA certificates). Users could then add the Uncertified CA certificate to their browser's certificate cache if they did not want to be bothered with warnings about untrusted certificates.

Some browsers already have a highly-visible indication that a page is secured with SSL; for example, Mozilla Firefox highlights the address bar in yellow. These browsers could simply be modified to show sites signed by the Uncertified CA in a different colour. (In fact, it might be generally useful to be able to indicate which CAs signed a given certificate -- it could display a logo for the CA, or something.)