[lmm]

I agree in principle, but currently every CA is a single point of failure for the entire Internet, so adding more CAs makes things worse rather than better. We need something like DNSSEC/DANE to enable actual decentralization (where the Hong Kong post office could only sign Hong Kong domain names and so on).

[joosters]

Why should the Hong Kong post office only be able to sign HK domain names? Are businesses in Hong Kong not allowed .com addresses?

[lmm]

I would like to see a single responsible CA for each domain (which are allowed to hierarchically delegate). Country-specific agencies should only be able to sign domains within their country, and .com addresses (which should be reserved for genuinely international sites, though that's a separate argument) should be handled by an international CA that can a) apply some consistent international standard for how domain owners are identified etc. and b) be specifically held accountable for dodgy .com certificates

[joosters]

So... one CA for each domain, leaving no competition? And which unwanted domain will LetsEncrypt be left with, then?

Back in the real world, we have multiple CAs who have accountability for lots of overlapping domains. You can wish for some other non-existent situation, everyone else has to make the best of the situation as it stands.

[lmm]

> So... one CA for each domain, leaving no competition? And which unwanted domain will LetsEncrypt be left with, then?

Domains can compete with each other, particularly given the big opening up of TLDs. We could have actual competition between CAs at the end-user-facing level because it'd be visible to the user who the CA was (the CA and the registry ought to be merged - at the moment they're two parallel sets of infrastructure for doing the same thing), and if particular domains/CAs had poor-quality identity checking users might actually start to notice. As opposed to today, where the only one who knows which CA a domain might be using is the domain owner, and so the incentive largely is for the CA to do as little checking as possible.

> Back in the real world, we have multiple CAs who have accountability for lots of overlapping domains. You can wish for some other non-existent situation, everyone else has to make the best of the situation as it stands.

There's a migration path. Enable DNSSEC/DANE with all CAs authorized for all domains initially, then allow countries / TLD owners to start restricting who can sign certificates for their domains. If Hong Kong moved to requiring only Hong Kong Post Office to sign their domains, we could see how well or badly that model works - if it reduces phishing / spying then other countries will follow the same, if it stifles innovative internet businesses then they'll move away from that. But 150+ entities all having the power to own every site on the internet can't possibly be the right model.